As a part of security vulnerability fix, I need update one of the transitive dependency.
The vulnerability is in minimist package, which needs to be updated to 0.2.1.
minimist :: 0.0.8 >> Mypackage >> node:npm:artifactory/npm-dcloud:less:3.9.0 >> node:npm:artifactory/npm-dcloud:mkdirp:0.5.1
This is how the vulnerable package is reported in my system.So I need to tell less:3.9.0 that it should use specific version of minimist when it is fetched in one of its dependencies from mkdirp.
As of now my package.json looks like:
"dependencies": {
.......
.......
"less": "^3.0.4",
.......
}
I have two queries here:
Why does package-lock.json has less version as 3.9.0 when I have 3.0.4 in package.json?In npm list also, I see only 3.9.0.
How can I inform npm to use minimist 0.2.1 instead 0.0.8 as reported above?
npm ls minimist
├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected]
├── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ UNMET PEER DEPENDENCY [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
npm ERR! peer dep missing: webpack@^2.1.0-beta || ^2.2.0-rc || ^2.0.0, required by [email protected]
npm ERR! peer dep missing: webpack@^1.1.0 || ^2 || ^2.1.0-beta.0 || ^2.2.0-rc.0, required by [email protected]
I have tried overrides as mentioned
https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
as follow:
"overrides": {
"mkdirp": {
"minimist": "0.2.1"
}
but still minimist older version is coming
CodePudding user response:
Second query:
rm -rf node_modules/
rm package-lock.json
In the package.json file it is possible to add the transitive dependency version.
"resolutions": { "minimist": "0.2.1" },
npm install
:)
CodePudding user response:
npm install module_name@version_number
npm install [email protected]