npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

auto-package-lock

v1.1.0

Published

1. 项目 A 安装了依赖软件 B,B 项目内自己依赖了上游库 C。 2. 现 C 出现了 CVE 漏洞,社区发布了新版本修补了漏洞。 3. 但是 B 并未发布新版本引入 C 的无漏洞版本。 4. A 想要避免项目中出现 C 的漏洞,但无法简单通过`npm install [email protected]`命令安装指定版本,因为在 package.json 中 A 只与 B 有依赖关系。 5. 因此需要手动修改 A 项目中的 package-lock.json 文件

Downloads

1

Readme

背景

  1. 项目 A 安装了依赖软件 B,B 项目内自己依赖了上游库 C。
  2. 现 C 出现了 CVE 漏洞,社区发布了新版本修补了漏洞。
  3. 但是 B 并未发布新版本引入 C 的无漏洞版本。
  4. A 想要避免项目中出现 C 的漏洞,但无法简单通过npm install [email protected]命令安装指定版本,因为在 package.json 中 A 只与 B 有依赖关系。
  5. 因此需要手动修改 A 项目中的 package-lock.json 文件

用法

npm 安装

  1. 使用 npm 安装npm install -g auto-package-lock
  2. 使用 node 运行工具apkl -p 目标项目路径 -m 指定的库名及版本

举例:

本地调用

  1. 克隆项目(下载 release 包)到本地
  2. 命令行cd进入工具路径,npm install 安装依赖
  3. 使用 node 运行工具node ./index.js -p 目标项目路径 -m 指定的库名及版本

举例:

参数

两个必需参数

  • -p 目标项目的路径(project_path)
  • -m 想要锁定版本的的库名称及地址(module)

注意事项

  1. npm 版本为 v6 及以下的项目,后续请务必使用npm install --no-save安装依赖。
  2. npm 版本为 v7 及以上的项目,后续可直接使用npm install安装依赖