[英]npm - how to upgrade transitive dependencies to a specific newer version? (inorder to fix cve)
Below are the packages i need to upgrade.以下是我需要升级的软件包。
i tried to update the version
, signature
of below packages in package-lock.json
.我试图更新
package-lock.json
中以下包的version
和signature
。
Once i do npm i
after modifying package-lock.json
, the changes done in package-lock.json
disappears.一旦我在修改
package-lock.json
后执行npm i
, package-lock.json
所做的更改package-lock.json
消失。
As of today, xmldom
npm package cannot be upgraded to 0.7.0 as the maintainers are facing some problem in pushing the version 0.7.0 to npm registry截至今天,
xmldom
npm 包无法升级到0.7.0,因为维护者在将0.7.0版本推送到 npm 注册表时面临一些问题
i have tried out the answers mentioned in other stackoverflow posts, but it doesnot seem to fix my issue even though the reported issues are the same.我已经尝试了其他 stackoverflow 帖子中提到的答案,但即使报告的问题相同,它似乎也没有解决我的问题。
if there are any standard approaches to solve this, kindly share it.如果有任何标准方法可以解决这个问题,请分享。
Please suggest how to resolve this请建议如何解决这个问题
package.json包.json
{
"name": "qabot",
"version": "1.0.0",
"description": "",
"main": "index.slack.js",
"nodemonConfig": {
"ignore": [
"config/*",
"tempdirectory/*"
]
},
"engines": {
"node": "12.18.4"
},
"keywords": [],
"author": "",
"license": "ISC",
"dependencies": {
"@slack/bolt": "^3.2.0",
"axios": "^0.21.1",
"botbuilder": "^4.12.0",
"convert-excel-to-json": "^1.7.0",
"express": "^4.17.1",
"node-vault": "^0.9.22",
"node-vault-client": "^0.5.6",
"qs": "^6.10.1"
}
}
There are a lot of options for this.这有很多选择。 The first thing I would do is determine if any of these warnings are even relevant.
我要做的第一件事是确定这些警告中的任何一个是否相关。
In your case, the xmldom
dependency is itself a dependency of adal-node
which is "for node.js applications to authenticate to AAD in order to access AAD protected web resources".在您的情况下,
xmldom
依赖项本身就是adal-node
的依赖项,它是“让 node.js 应用程序向 AAD 进行身份验证以访问 AAD 保护的 Web 资源”。 If you're not doing anything remotely like that, then chances are you don't need to worry about it too much.如果您没有做任何类似的远程操作,那么您很可能不必担心太多。 (You can take extra steps anyway if you like, such as removing
node_modules/xmldom
or replacing it with 0.7.0.) (如果您愿意,您可以采取额外的步骤,例如删除
node_modules/xmldom
或将其替换为 0.7.0。)
The other two vulnerabilities are in dependencies of convert-excel-to-json
.另外两个漏洞位于
convert-excel-to-json
依赖项中。
One is yargs-parser
, a command-line arguments parser.一个是
yargs-parser
,一个命令行参数解析器。 If you are not using the command-line for convert-excel-to-json
, or not allowing users to affect the arguments passed to the CLI, then you are likely unaffected by that one.如果您没有使用
convert-excel-to-json
命令行,或者不允许用户影响传递给 CLI 的参数,那么您可能不会受到该参数的影响。
The last is a denial of service in xlsx
.最后一个是
xlsx
的拒绝服务。 This one is a dependency you are likely using as you are using the convert-excel-to-json
module directly.这是您在直接使用
convert-excel-to-json
模块时可能会使用的依赖项。 (If you're not, npm uninstall convert-excel-to-json
to resolve.) If you are in control of the .xlsx file contents (and the user has no ability to affect the contents), then you are likely not vulnerable. (如果不是,请使用
npm uninstall convert-excel-to-json
来解决。)如果您可以控制 .xlsx 文件内容(并且用户无法影响内容),那么您很可能不会受到攻击. You may also decide that a denial of service is not something you're worried about, depending on the use case.您还可以决定拒绝服务不是您所担心的事情,具体取决于用例。 (If the bot or whatever you're building only has one or two users and it's you and your friend or whatever, you're both unlikely to intentionally DoS your own service.)
(如果机器人或您正在构建的任何东西只有一两个用户,并且是您和您的朋友或其他任何人,那么你们都不太可能故意对自己的服务进行 DoS。)
If any of these do affect you and are significant issues for you, then you have lots of things you might try:如果其中任何一个确实影响到您并且对您来说是重要问题,那么您可以尝试很多事情:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.