Menu
I'm very wondered that I can't find an answer to this simple question. Also I'm very wondered that npm update does not solve this.
I can't post my complete dependency tree here but let me describe my issue anyway:
minimist is outdated (version 1.2.0) and has a security vulnerability in this version. The packages require minimist define the dependency as ^1.2.0 - so it is compatible with 1.2.2.
The common solution is to put it to package.json within devDependencies or dependencies with ^1.2.2. I don't want to put it into package.json. I feel like npm update should also update indirect dependencies.
Am I missing something?
Here you can see my package-lock.json: https://github.com/tflori/riki-community/blob/master/package-lock.json
And the output of npm ls minimist:
riki-community@ /home/iras/work/projects/riki/community
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected] deduped
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └─┬ @jest/[email protected]
│ ├─┬ @jest/[email protected]
│ │ └─┬ @babel/[email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ ├─┬ @cnakazawa/[email protected]
│ │ └── [email protected] deduped
│ └── [email protected] deduped
├─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected] deduped
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ UNMET OPTIONAL DEPENDENCY [email protected]
└─┬ UNMET OPTIONAL DEPENDENCY [email protected]
├─┬ UNMET OPTIONAL DEPENDENCY [email protected]
│ └── UNMET OPTIONAL DEPENDENCY [email protected]
└─┬ UNMET OPTIONAL DEPENDENCY [email protected]
└── UNMET OPTIONAL DEPENDENCY [email protected]
686
Keep in mind that with npm update it will never update to a major breaking-changes version. It updates the dependencies in package. json and package-lock.
By default, npm install will install all modules listed as dependencies in package.
The problem is the depth. From the documentation:
As of [email protected], the npm update will only inspect top-level packages. Prior versions of npm would also recursively inspect all dependencies. To get the old behavior, use npm --depth 9999 update.
So we have to provide the depth that we want to update. In my case a 9999 took to long and I canceled it. But a --depth 5 was enough.
npm update --depth 5
If that does still not update the depdendency than you have to manually change the package-lock.json.
Open the package-lock.json and find all occurences of "minimist": { and remove the object.
Example:
Change this:
"dependencies": {
"minimist": {
"version": "1.2.0",
"bundled": true,
"dev": true,
"optional": true
}
}
to that:
"dependencies": {
}
And run npm install again.
197
As of npm v7.0.0, running npm update will always update all packages, not just the ones specified in root package.json file. NPM has removed --depth option from npm update command and changed its behavior.
Note: it is still possible that some underlying package is specifying an outdated version as a dependency, which will prevent npm update from installing the latest version. You don't have many options, other than forcing a resolution to a more recent version.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
