[英]NPM how to update/upgrade transitive dependencies?
I am using express v4.16.4 in my node server.我在我的节点服务器中使用 express v4.16.4。
It has pulled in cookie-signature v1.0.6.它引入了 cookie 签名 v1.0.6。
I want to upgrade cookie-signature to v1.1.0 as it has a fix which I require.我想将 cookie-signature 升级到 v1.1.0,因为它有一个我需要的修复程序。 What is the way to do that ?
有什么方法可以做到这一点?
I don't think i should do a npm install cookie-signature@1.1.0 as it would list cookie-signature in my app dependencies.我认为我不应该执行 npm install cookie-signature@1.1.0 ,因为它会在我的应用程序依赖项中列出 cookie-signature。
EDIT: this discusses the exact same problem that i am looking to solve.编辑: 这讨论了我正在寻求解决的完全相同的问题。 The accepted answer is using npm-shrinkwrap, and another top voted answer using package-lock.json , but both of these seem to have issues as discussed in respective comments.
接受的答案是使用 npm-shrinkwrap ,另一个投票最高的答案是使用 package-lock.json ,但这两个似乎都有各自评论中讨论的问题。
Happy to close this as a duplicate.很高兴将其作为副本关闭。
You might also be able to solve the issue by adding a resolutions
key in the package.json
to "enforce" certain versions of dependencies:您也可以通过在
package.json
添加一个resolutions
键来“强制”某些版本的依赖项来解决这个问题:
{
"resolutions": {
"cookie-signature": "^1.1.0"
}
}
To actually make use of that, you have to use npm-force-resolutions
in preinstall
:要实际使用它,您必须在
preinstall
使用npm-force-resolutions
:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
See this post for further information: https://itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d有关更多信息,请参阅此帖子: https : //itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d
We had a very similar problem.我们有一个非常相似的问题。 Protractor 5.4.2 has a dependency on webdriver-manager@^12.0.6.
Protractor 5.4.2 依赖于 webdriver-manager@^12.0.6。 In package-lock.json webdriver-manager was fixed to 12.1.5.
在 package-lock.json 中,webdriver-manager 被修复为 12.1.5。 However, we needed 12.1.7 in order to make it work with all the latest chrome versions.
但是,我们需要 12.1.7 才能使其适用于所有最新的 chrome 版本。
We noticed, that npm would install version 12.1.7 when removing node_modules and package-lock.json, but we did not find a way to automatically update package-lock.json.我们注意到,当删除 node_modules 和 package-lock.json 时,npm 会安装 12.1.7 版本,但我们没有找到自动更新 package-lock.json 的方法。 So these are the steps we took:
所以这些是我们采取的步骤:
npm install
npm install
npm install
npm install
I think this workaround should work for express and cookies-signature as well.我认为这种解决方法也适用于 express 和 cookie 签名。
NPM 8 introduced "overrides" which allows you to override specific transitive dependencies of your direct dependency. NPM 8 引入了“覆盖”,它允许您覆盖直接依赖项的特定传递依赖项。 For your usecase, you would declare something like below in your package.json.
对于您的用例,您将在 package.json 中声明如下内容。
{
"overrides": {
"express": {
"cookie-signature": "1.1.0"
}
}
}
More details @ https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides更多细节@ https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.