package
所以,我有这个包,在package-lock.json中:
"micromatch": {
"version": "2.3.11",
"resolved": ".3.11.tgz",
"integrity": "sha1-hmd8l9FyCzY0MdBNDRUpO9OMFWU=",
"requires": {
"arr-diff": "^2.0.0",
"array-unique": "^0.2.1",
"braces": "^1.8.2",
"expand-brackets": "^0.1.4",
"extglob": "^0.3.1",
"filename-regex": "^2.0.0",
"is-extglob": "^1.0.0",
"is-glob": "^2.0.1",
"kind-of": "^3.0.2",
"normalize-path": "^2.0.1",
"object.omit": "^2.0.0",
"parse-glob": "^3.0.4",
"regex-cache": "^0.4.2"
}
}
漏洞是:“大括号”:“^ 1.8.2”,当我运行npm审计时,它说它固定在2.3.1,但我似乎无法更新它,或者只是不知道如何。
我试过的事情:
- npm安装micromatch和braces,然后进行npm审计修复。
- npm install && npm卸载micromatch和braces,然后运行npm update
- 删除node_modules和package-lock.json并执行npm i -f
- 手动编辑package-lock.json,将版本和需求更改为依赖项,然后执行npm审计修复(修复它,然后我运行npm install,然后将版本回滚到1.8.2)
从npm依赖项中可能有一些我不理解的东西。那么我该如何解决这个问题呢?
编辑为package.json
{
"name": "project",
"version": "0.1.0",
"private": true,
"dependencies": {
"@material-ui/core": "^3.9.2",
"@material-ui/icons": "^3.0.2",
"micromatch": "^3.1.10",
"prop-types": "latest",
"react": "^16.8.2",
"react-async-component": "^2.0.0",
"react-dom": "^16.8.2",
"react-scripts": "^2.1.5",
"typeface-roboto": "0.0.54"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"eslintConfig": {
"extends": "react-app"
},
"browserslist": [
">0.2%",
"not dead",
"not ie <= 11",
"not op_mini all"
],
"devDependencies": {
"react-router-dom": "^4.3.1"
}
}
您需要将您的micromatch模块升级到最新版本3.1,该漏洞来自您使用的micromatch 2.3.11,使用较旧版本的大括号。大括号版本在最新版本的micromatch中升级,因此只需升级您的micromatch模块即可。这将解决您的问题。
升级,
- 将主package.json中的micromatch版本替换为3.1.10并保存。
- 删除package-lock.json文件
- 海平面和
当micromatch升级大括号模块时,请参阅此提交 - https://github/micromatch/micromatch/commit/cdff648d3f50f2f6342c7f23c899f95d8244b144
package
所以,我有这个包,在package-lock.json中:
"micromatch": {
"version": "2.3.11",
"resolved": ".3.11.tgz",
"integrity": "sha1-hmd8l9FyCzY0MdBNDRUpO9OMFWU=",
"requires": {
"arr-diff": "^2.0.0",
"array-unique": "^0.2.1",
"braces": "^1.8.2",
"expand-brackets": "^0.1.4",
"extglob": "^0.3.1",
"filename-regex": "^2.0.0",
"is-extglob": "^1.0.0",
"is-glob": "^2.0.1",
"kind-of": "^3.0.2",
"normalize-path": "^2.0.1",
"object.omit": "^2.0.0",
"parse-glob": "^3.0.4",
"regex-cache": "^0.4.2"
}
}
漏洞是:“大括号”:“^ 1.8.2”,当我运行npm审计时,它说它固定在2.3.1,但我似乎无法更新它,或者只是不知道如何。
我试过的事情:
- npm安装micromatch和braces,然后进行npm审计修复。
- npm install && npm卸载micromatch和braces,然后运行npm update
- 删除node_modules和package-lock.json并执行npm i -f
- 手动编辑package-lock.json,将版本和需求更改为依赖项,然后执行npm审计修复(修复它,然后我运行npm install,然后将版本回滚到1.8.2)
从npm依赖项中可能有一些我不理解的东西。那么我该如何解决这个问题呢?
编辑为package.json
{
"name": "project",
"version": "0.1.0",
"private": true,
"dependencies": {
"@material-ui/core": "^3.9.2",
"@material-ui/icons": "^3.0.2",
"micromatch": "^3.1.10",
"prop-types": "latest",
"react": "^16.8.2",
"react-async-component": "^2.0.0",
"react-dom": "^16.8.2",
"react-scripts": "^2.1.5",
"typeface-roboto": "0.0.54"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"eslintConfig": {
"extends": "react-app"
},
"browserslist": [
">0.2%",
"not dead",
"not ie <= 11",
"not op_mini all"
],
"devDependencies": {
"react-router-dom": "^4.3.1"
}
}
您需要将您的micromatch模块升级到最新版本3.1,该漏洞来自您使用的micromatch 2.3.11,使用较旧版本的大括号。大括号版本在最新版本的micromatch中升级,因此只需升级您的micromatch模块即可。这将解决您的问题。
升级,
- 将主package.json中的micromatch版本替换为3.1.10并保存。
- 删除package-lock.json文件
- 海平面和
当micromatch升级大括号模块时,请参阅此提交 - https://github/micromatch/micromatch/commit/cdff648d3f50f2f6342c7f23c899f95d8244b144