在npm中升级全局软件包的依赖项

Question

• npm version: 3.10.10
• node version: 6.14.2

I need to upgrade some dependencies of npm to address some security warnings. An example: sshpk is a dependency of npm via http-signature and request :

bash-4.3# npm ls sshpk -g
/usr/local/lib
`-- npm@3.10.10
  `-- request@2.75.0
    `-- http-signature@1.1.1
      `-- sshpk@1.10.1

I need sshpk to get upgraded to >=1.14.1 , which is possible given the version lock in http-signature@1.1.1 's package.json:

"dependencies": {
    "assert-plus": "^0.2.0",
    "jsprim": "^1.2.2",
    "sshpk": "^1.7.0"
  },

I've tried running npm upgrade -g npm@3 and npm --depth 9999 upgrade -g npm@3 without any success. It seems that npm doesn't continue in any update action since it notices we're already on the latest npm 3.xx release of 3.10.10 . I need to be able to keep npm 's dependencies up-to-date as far as security patches go. Is this possible through npm update directly? I'm thinking of something similar to yarn upgrade <package>@<version> where it will traverse a package's sub-dependencies and upgrade those, even if the parent package isn't in need of a version change.

Answer 1

A reliable way to reinstall the package is to remove it or node_modules and install again.

Since NPM cannot be installed without NPM, this requires Node to be reinstalled .

An alternative is to install a spare NPM wrapper (eg npm3 ) and use it to reinstall main npm package

npm i -g npm3
rm -rf npm/
npm3 i -g npm@3

--force option can be used to reinstall the package, but it doesn't guarantee that package dependencies will be reinstalled.