npm - 如何将可传递依赖项升级到特定的较新版本？ （为了修复cve）

Question

Below are the packages i need to upgrade.

i tried to update the version , signature of below packages in package-lock.json .

Once i do npm i after modifying package-lock.json , the changes done in package-lock.json disappears.

As of today, xmldom npm package cannot be upgraded to 0.7.0 as the maintainers are facing some problem in pushing the version 0.7.0 to npm registry

i have tried out the answers mentioned in other stackoverflow posts, but it doesnot seem to fix my issue even though the reported issues are the same.

if there are any standard approaches to solve this, kindly share it.

Please suggest how to resolve this

package.json

  {
  "name": "qabot",
  "version": "1.0.0",
  "description": "",
  "main": "index.slack.js",
  "nodemonConfig": {
    "ignore": [
      "config/*",
      "tempdirectory/*"
    ]
  },
  "engines": {
    "node": "12.18.4"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "@slack/bolt": "^3.2.0",
    "axios": "^0.21.1",
    "botbuilder": "^4.12.0",
    "convert-excel-to-json": "^1.7.0",
    "express": "^4.17.1",
    "node-vault": "^0.9.22",
    "node-vault-client": "^0.5.6",
    "qs": "^6.10.1"
  }
}

Answer 1

There are a lot of options for this. The first thing I would do is determine if any of these warnings are even relevant.

In your case, the xmldom dependency is itself a dependency of adal-node which is "for node.js applications to authenticate to AAD in order to access AAD protected web resources". If you're not doing anything remotely like that, then chances are you don't need to worry about it too much. (You can take extra steps anyway if you like, such as removing node_modules/xmldom or replacing it with 0.7.0.)

The other two vulnerabilities are in dependencies of convert-excel-to-json .

One is yargs-parser , a command-line arguments parser. If you are not using the command-line for convert-excel-to-json , or not allowing users to affect the arguments passed to the CLI, then you are likely unaffected by that one.

The last is a denial of service in xlsx . This one is a dependency you are likely using as you are using the convert-excel-to-json module directly. (If you're not, npm uninstall convert-excel-to-json to resolve.) If you are in control of the .xlsx file contents (and the user has no ability to affect the contents), then you are likely not vulnerable. You may also decide that a denial of service is not something you're worried about, depending on the use case. (If the bot or whatever you're building only has one or two users and it's you and your friend or whatever, you're both unlikely to intentionally DoS your own service.)

If any of these do affect you and are significant issues for you, then you have lots of things you might try:

• Check relevant issue trackers to see if a fix is in the works.
• Manually update dependencies to supposedly-incompatible versions (but only if you have good test coverage).
• Look for alternative dependencies.
• Fork the existing dependencies and use your fork.
• Other options I'm not thinking of right now, many of which might be better than all of the above.