auto-package-lock
Advanced tools
1. 项目A安装了依赖软件B,B项目内自己依赖了上游库C。 2. 现C出现了CVE漏洞,社区发布了新版本修补了漏洞。 3. 但是B并未发布新版本引入C的无漏洞版本。 4. A想要避免项目中出现C的漏洞,但无法简单通过`npm install C@4.0.7`命令安装指定版本,因为在package.json中A只与B有依赖关系。 5. 因此需要手动修改A项目中的package-lock.json文件
npm install C@4.0.7命令安装指定版本,因为在package.json中A只与B有依赖关系。npm install -g auto-package-lock,或克隆项目(下载release包)到本地npx auto-package-lock -p 目标项目路径 -m 指定的库名及版本npx ./auto-package-lock举例:
npx auto-package-lock -p ../demo2 -m deepmerge@4.2.2npx auto-package-lock -p /e/projects/js/demo2 -m throttle-debounce@3.0.1npm install --no-save安装依赖。npm install安装依赖FAQs
1. 项目 A 安装了依赖软件 B,B 项目内自己依赖了上游库 C。 2. 现 C 出现了 CVE 漏洞,社区发布了新版本修补了漏洞。 3. 但是 B 并未发布新版本引入 C 的无漏洞版本。 4. A 想要避免项目中出现 C 的漏洞,但无法简单通过`npm install C@4.0.7`命令安装指定版本,因为在 package.json 中 A 只与 B 有依赖关系。 5. 因此需要手动修改 A 项目中的 package-lock.json 文件
We found that auto-package-lock demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.