Menu
I'm trying to npm install a package, but it's failing to install due to a missing transitive dependency.
(I don't think the details are important, but we're proxying to an Nexus NPM registry, which didn't support scoped modules at the time. One of our dependency's dependencies is trying to pull down the @bahmutov/parse-github-repo-url module, and we get a 404.)
In my npm-debug.log I see the 404 from our registry:
404 - Path /@bahmutov/parse-github-repo-url not found in group repository</title>
But I can't tell which dependency is trying to pull it down.
Normally I'd run npm ls [package-name] but this doesn't work for a project with an empty node_modules folder, which is what's going on here.
We're using npm3, which has a flat dependency tree, so I can't just open up the partially-hydrated node_modules folder and see where things get laid down.
Is there a way to inspect a package.json file and determine the calculated dependency tree without relying on npm install to succeed?
290
Once you identify your package to be fixed using any of the above methods, to fix the transitive dependency, you must add a dependency to the updated version of the vulnerable package by adding it to the . csproj file. i.e such a vulnerable package needs to be made a direct dependency of your main project.
Transitive dependency A dependency that your package indirectly uses because one of its dependencies requires it. If your package depends on A, which in turn depends on B which depends on C, then A is an immediate dependency and B and C are transitive ones.
npm-remote-ls looks like it might give you a reasonable answer!
184
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
