Question

所以，我在package-lock.json中有这个包：

"micromatch": {
  "version": "2.3.11",
  "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-2.3.11.tgz",
  "integrity": "sha1-hmd8l9FyCzY0MdBNDRUpO9OMFWU=",
  "requires": {
    "arr-diff": "^2.0.0",
    "array-unique": "^0.2.1",
    "braces": "^1.8.2",
    "expand-brackets": "^0.1.4",
    "extglob": "^0.3.1",
    "filename-regex": "^2.0.0",
    "is-extglob": "^1.0.0",
    "is-glob": "^2.0.1",
    "kind-of": "^3.0.2",
    "normalize-path": "^2.0.1",
    "object.omit": "^2.0.0",
    "parse-glob": "^3.0.4",
    "regex-cache": "^0.4.2"
  }
}

漏洞为：“大括号”：“ ^ 1.8.2”，当我运行npm audit时，它说它固定为2.3.1，但是我似乎无法更新它，或者只是不知道

我尝试过的事情

npm同时安装micromatch和花括号，然后进行npm审核修复。
npm install && npm卸载微匹配和花括号，然后运行npm update
删除node_modules和package-lock.json并执行npm i -f
手动编辑package-lock.json，将版本和要求更改为依赖项，然后进行npm审核修复（将其修复，但是我运行npm install，然后将版本回滚到1.8.2 ）

从npm依赖关系中我可能不了解几件事。那我该如何解决呢？

为package.json编辑

{
  "name": "project",
  "version": "0.1.0",
  "private": true,
  "dependencies": {
    "@material-ui/core": "^3.9.2",
    "@material-ui/icons": "^3.0.2",
    "micromatch": "^3.1.10",
    "prop-types": "latest",
    "react": "^16.8.2",
    "react-async-component": "^2.0.0",
    "react-dom": "^16.8.2",
    "react-scripts": "^2.1.5",
    "typeface-roboto": "0.0.54"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": "react-app"
  },
  "browserslist": [
    ">0.2%",
    "not dead",
    "not ie <= 11",
    "not op_mini all"
  ],
  "devDependencies": {
    "react-router-dom": "^4.3.1"
  }
}

Answer 1

您需要将您的micromatch模块升级到最新版本3.1，该漏洞是因为您正在使用的micromatch 2.3.11使用了旧版本的括号。括号版本已在最新版本中进行了微匹配的升级，因此只需升级您的微匹配模块即可。这样可以解决您的问题。

要升级，

将主package.json中的微匹配版本替换为3.1.10并保存它。
删除package-lock.json文件
做npm我

当micromatch升级了括号模块-https://github.com/micromatch/micromatch/commit/cdff648d3f50f2f6342c7f23c899f95d8244b144

时，请参阅此提交

package-lock.json软件包要求漏洞（npm）

1 个答案: