我有一个 angular 项目,我在 Windows 10 机器上开发,在 Github Actions 上使用 ubuntu 进行测试,并且喜欢在我的本地 Linux 服务器上签出和构建,以确保我已按原样设置所有内容应该,并且没有一些隐藏的依赖项。
Github's dependabot 和 snyk.io 都告诉我潜在的漏洞,但最近我在本地 Linux 服务器上做了一个相当新的安装 npm ci
并注意到几个关于破坏性更改和弃用软件包的警告:
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm audit
向我展示了其中一个包 @angular-devkit/build-webpack
的详细信息,它隐式导入了 chokidar@2.1.8
,但我看不到其余的包。
我知道我没有对这些包进行显式导入,所以我的问题是
是否有 npm
命令可以显示哪个包正在导入已弃用的包
{
"name": "scrum-timer",
"version": "0.2.24",
"license": "MIT",
"scripts": {
"ng": "ng",
"start": "node server.js",
"build": "ng build",
"test": "ng test",
"lint": "ng lint",
"e2e": "ng e2e",
"bump-version": "npm version patch -m \"Bump version to %s\" && git push --tags",
"deploy": "ng build --base-href \"https://josste.github.io/ScrumTimer/\" && cp ./dist/index.html ./dist/404.html && angular-cli-ghpages –-no-silent"
},
"private": true,
"dependencies": {
"@angular/animations": "^12.1.0",
"@angular/common": "^12.1.0",
"@angular/compiler": "^12.1.0",
"@angular/core": "^12.1.0",
"@angular/forms": "^12.1.0",
"@angular/platform-browser": "^12.1.0",
"@angular/platform-browser-dynamic": "^12.1.0",
"@babel/polyfill": "^7.12.1",
"bootstrap": "^4.5.3",
"core-js": "^3.15.1",
"diff": "^5.0.0",
"font-awesome": "^4.7.0",
"jquery": "^3.6.0",
"npm": "^7.19.0",
"popper.js": "^1.16.0",
"rxjs": "^6.6.7",
"rxjs-compat": "^6.6.7",
"tether": "^1.4.7",
"tslib": "^2.2.0",
"zone.js": "~0.11.4"
},
"devDependencies": {
"@angular-devkit/build-angular": "^0.1102.10",
"@angular/cli": "^11.2.10",
"@angular/compiler-cli": "^11.2.11",
"@angular/language-service": "^11.2.11",
"@angular/router": "^11.2.11",
"@types/jasmine": "~3.6.0",
"@types/jasminewd2": "^2.0.8",
"@types/node": "^13.13.34",
"angular-cli-ghpages": "^0.6.2",
"codelyzer": "^6.0.0",
"jasmine-core": "~3.6.0",
"jasmine-spec-reporter": "~5.0.0",
"karma": "~6.3.2",
"karma-chrome-launcher": "~3.1.0",
"karma-cli": "~2.0.0",
"karma-coverage-istanbul-reporter": "~3.0.2",
"karma-jasmine": "~4.0.0",
"karma-jasmine-html-reporter": "^1.5.0",
"protractor": "~7.0.0",
"ts-node": "~8.8.2",
"eslint": "^7.14.0",
"typescript": "~4.1.5"
}
}
根据RobC
npm ls har-validator@5.1.5 resolve-url@0.2.1 chokidar@2.1.8 uuid@3.4.0
给出了一个漂亮的依赖图:
答案 0 :(得分:1)
考虑使用 npm ls
命令。
例如:
首先cd
到你的项目目录
然后运行:
npm ls har-validator@5.1.5 resolve-url@0.2.1 chokidar@2.1.8 uuid@3.4.0
这将向标准输出打印一个树结构,显示上述 npm ls
命令中列出的每个特定版本的包。
例如,给定以下树片段:
└─┬ npm@7.19.1 └─┬ node-gyp@7.1.2 └─┬ request@2.88.2 ├── har-validator@5.1.5 └── uuid@3.4.0 ...
我们可以确定:
har-validator@5.1.5
和 uuid@3.4.0
是 request@2.88.2
request@2.88.2
是 node-gyp@7.1.2
node-gyp@7.1.2
是 npm@7.19.1