[英]npm audit fix not updating package.json
我想修复一个漏洞,经过多次尝试和尝试,我想使用 npm 审核修复程序提供的修复程序。 npm 审计说:
# Run npm update mkdirp --depth 8 to resolve 10 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ less │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ less > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │
└──────────────
现在,我运行了上面的命令,结果是:
npm update mkdirp --depth 8
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN grunt-webpack@2.0.1 requires a peer of webpack@^2.1.0-beta || ^2.2.0-rc || ^2.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN karma-webpack@2.0.3 requires a peer of webpack@^1.1.0 || ^2 || ^2.1.0-beta.0 || ^2.2.0-rc.0 but none is installed. You must install peer dependencies yourself.
npm WARN The package style-loader is included as both a dev and production dependency.
npm WARN The package uuid is included as both a dev and production dependency.
+ mkdirp@0.5.6
added 4 packages from 1 contributor, updated 1 package and audited 1827 packages in 8.439s
4 packages are looking for funding
run `npm fund` for details
found 528 vulnerabilities (31 low, 169 moderate, 228 high, 100 critical)
run `npm audit fix` to fix them, or `npm audit` for details
现在,如果我运行npm audit
,漏洞不存在,但我没有看到 package.json 文件有任何变化。 只更改了package-lock.json,我们不应该签入,我如何让npm审核更改package.json,以便可以签入?
仅在 package-lock.json 中进行更改,我们不应该签入
这是错误的,您应该签入。文件的全部意义在于确保使用该存储库的其他人运行的版本与您相同。
在回答您的问题时(有点晚),如果有意义的话,该漏洞可能存在于您的依赖项的依赖项之一中。 例如。 您已经安装了 package A,它依赖于 package B。Package A 将在您的 package.json 中,但 package B 将仅在锁定文件中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.