NPM 如何更新/升级传递依赖?
[英]NPM how to update/upgrade transitive dependencies?
问题描述
I am using express v4.16.4 in my node server.
我在我的节点服务器中使用 express v4.16.4。
It has pulled in cookie-signature v1.0.6.它引入了 cookie 签名 v1.0.6。
I want to upgrade cookie-signature to v1.1.0 as it has a fix which I require.我想将 cookie-signature 升级到 v1.1.0,因为它有一个我需要的修复程序。 What is the way to do that ?有什么方法可以做到这一点?
I don't think i should do a npm install cookie-signature@1.1.0 as it would list cookie-signature in my app dependencies.我认为我不应该执行 npm install cookie-signature@1.1.0 ,因为它会在我的应用程序依赖项中列出 cookie-signature。
EDIT: this discusses the exact same problem that i am looking to solve.编辑: 这讨论了我正在寻求解决的完全相同的问题。 The accepted answer is using npm-shrinkwrap, and another top voted answer using package-lock.json , but both of these seem to have issues as discussed in respective comments.接受的答案是使用 npm-shrinkwrap ,另一个投票最高的答案是使用 package-lock.json ,但这两个似乎都有各自评论中讨论的问题。
Happy to close this as a duplicate.很高兴将其作为副本关闭。
3 个解决方案
解决方案1
8 2021-03-04 07:47:16
You might also be able to solve the issue by adding a resolutions key in the package.json to "enforce" certain versions of dependencies:您也可以通过在package.json添加一个resolutions键来“强制”某些版本的依赖项来解决这个问题:
{
"resolutions": {
"cookie-signature": "^1.1.0"
}
}
To actually make use of that, you have to use npm-force-resolutions in preinstall :要实际使用它,您必须在preinstall使用npm-force-resolutions :
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
See this post for further information: https://itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d有关更多信息,请参阅此帖子: https : //itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d
解决方案2
0 2019-11-20 08:11:06
We had a very similar problem.我们有一个非常相似的问题。 Protractor 5.4.2 has a dependency on webdriver-manager@^12.0.6. Protractor 5.4.2 依赖于 webdriver-manager@^12.0.6。 In package-lock.json webdriver-manager was fixed to 12.1.5.在 package-lock.json 中,webdriver-manager 被修复为 12.1.5。 However, we needed 12.1.7 in order to make it work with all the latest chrome versions.但是,我们需要 12.1.7 才能使其适用于所有最新的 chrome 版本。
We noticed, that npm would install version 12.1.7 when removing node_modules and package-lock.json, but we did not find a way to automatically update package-lock.json.我们注意到,当删除 node_modules 和 package-lock.json 时,npm 会安装 12.1.7 版本,但我们没有找到自动更新 package-lock.json 的方法。 So these are the steps we took:所以这些是我们采取的步骤:
- Remove node_modules删除 node_modules
- Remove package-lock.json删除 package-lock.json
- Run
npm install运行npm install - Open package-lock.json and copy the webdriver-manager section to another file打开 package-lock.json 并将 webdriver-manager 部分复制到另一个文件
- Undo (git checkout) all changes in package-lock.json撤消(git checkout) package-lock.json 中的所有更改
- Copy the saved webdriver-manager part back into package-lock.json将保存的 webdriver-manager 部分复制回 package-lock.json
- Remove node_modules删除 node_modules
- Run
npm install运行npm install - Check node_modules/protractor/node_modules/webdriver-manager/package.json that the right version was installed.检查 node_modules/protractor/node_modules/webdriver-manager/package.json 是否安装了正确的版本。
I think this workaround should work for express and cookies-signature as well.我认为这种解决方法也适用于 express 和 cookie 签名。
解决方案3
0 2021-12-27 00:34:56
NPM 8 introduced "overrides" which allows you to override specific transitive dependencies of your direct dependency. NPM 8 引入了“覆盖”,它允许您覆盖直接依赖项的特定传递依赖项。 For your usecase, you would declare something like below in your package.json.对于您的用例,您将在 package.json 中声明如下内容。
{
"overrides": {
"express": {
"cookie-signature": "1.1.0"
}
}
}
More details @ https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides更多细节@ https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.