Dependabot 问题 - 无法将 glob-parent 更新为无漏洞版本
我刚刚开始使用 Dependabot,并遇到了其警报之一的问题。我正在寻找如何处理此类漏洞的答案,但没有找到任何适当的资源。我可以看到它是我的 deps 的依赖项,因此它会影响包锁定文件。
以下是 Dependabot 提供的内容:
Dependabot cannot update glob-parent to a non-vulnerable version
The latest possible version that can be installed is 3.1.0 because of the following conflicting dependencies:
[email protected] requires glob-parent@^6.0.1
[email protected] requires glob-parent@^3.1.0 via a transitive dependency on [email protected]
The earliest fixed version is 5.1.2.
我的 package.json 文件中没有 glob-parent - 它只是我其他依赖项的依赖项。处理此类警报的态度是什么?我应该驳回吗?据我所知,手动更改包锁不是可行的方法。
I've just started to use Dependabot and encountered an issue with one of its alerts. I was looking for an answer how to handle such vulnerabilities, but didn't fine any proper resource. What I can see that it is a dependency of my deps, so it affects package-lock file.
Here is what Dependabot provided:
Dependabot cannot update glob-parent to a non-vulnerable version
The latest possible version that can be installed is 3.1.0 because of the following conflicting dependencies:
[email protected] requires glob-parent@^6.0.1
[email protected] requires glob-parent@^3.1.0 via a transitive dependency on [email protected]
The earliest fixed version is 5.1.2.
I don't have glob-parent in my package.json file - it is just the dependency of my other dependencies. What is the attitude to handle such alerts? Should I dismiss it? As far as I know manually changing package-lock is not the way to go.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论