auto-package-lock@1.0.3 vulnerabilities
1. 项目 A 安装了依赖软件 B,B 项目内自己依赖了上游库 C。 2. 现 C 出现了 CVE 漏洞,社区发布了新版本修补了漏洞。 3. 但是 B 并未发布新版本引入 C 的无漏洞版本。 4. A 想要避免项目中出现 C 的漏洞,但无法简单通过`npm install C@4.0.7`命令安装指定版本,因为在 package.json 中 A 只与 B 有依赖关系。 5. 因此需要手动修改 A 项目中的 package-lock.json 文件
-
latest version
1.1.0
-
latest non vulnerable version
-
first published
3 years ago
-
latest version published
2 years ago
-
licenses detected
- >=1.0.1
Direct Vulnerabilities
No direct vulnerabilities have been found for this package in Snyk’s vulnerability database. This does not include vulnerabilities belonging to this package’s dependencies.
Does your project rely on vulnerable package dependencies?Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities (in both your packages & their dependencies) and provides automated fixes for free.