Home > database >  How do I tell npm to install specific version of library?
How do I tell npm to install specific version of library?

Time:04-05

As a part of security vulnerability fix, I need update one of the transitive dependency.

The vulnerability is in minimist package, which needs to be updated to 0.2.1.

minimist :: 0.0.8 >> Mypackage >> node:npm:artifactory/npm-dcloud:less:3.9.0 >> node:npm:artifactory/npm-dcloud:mkdirp:0.5.1

This is how the vulnerable package is reported in my system.So I need to tell less:3.9.0 that it should use specific version of minimist when it is fetched in one of its dependencies from mkdirp.

As of now my package.json looks like:

"dependencies": {
   .......
   .......
    "less": "^3.0.4",

   .......
  }

I have two queries here:

  1. Why does package-lock.json has less version as 3.9.0 when I have 3.0.4 in package.json?In npm list also, I see only 3.9.0.

  2. How can I inform npm to use minimist 0.2.1 instead 0.0.8 as reported above?

npm ls minimist

├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       ├─┬ [email protected]
│       │ └── [email protected] 
│       └─┬ [email protected]
│         └── [email protected] 
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected] 
├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected] 
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected] 
├─┬ [email protected]
│ └── [email protected] 
├── [email protected] 
├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected] 
├─┬ UNMET PEER DEPENDENCY [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         ├─┬ [email protected]
│         │ └── [email protected] 
│         └─┬ [email protected]
│           └── [email protected] 
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected] 

npm ERR! peer dep missing: webpack@^2.1.0-beta || ^2.2.0-rc || ^2.0.0, required by [email protected]
npm ERR! peer dep missing: webpack@^1.1.0 || ^2 || ^2.1.0-beta.0 || ^2.2.0-rc.0, required by [email protected]

I have tried overrides as mentioned

https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
as follow:
 "overrides": {
    "mkdirp": {
      "minimist": "0.2.1"
    }

but still minimist older version is coming

CodePudding user response:

Second query:

  1. rm -rf node_modules/

  2. rm package-lock.json

  3. In the package.json file it is possible to add the transitive dependency version.

    "resolutions": {
        "minimist": "0.2.1"
    },
    
  4. npm install

:)

CodePudding user response:

npm install module_name@version_number
npm install [email protected]
  • Related