auto-package-lock@1.0.5 vulnerabilities

1. 项目 A 安装了依赖软件 B，B 项目内自己依赖了上游库 C。 2. 现 C 出现了 CVE 漏洞，社区发布了新版本修补了漏洞。 3. 但是 B 并未发布新版本引入 C 的无漏洞版本。 4. A 想要避免项目中出现 C 的漏洞，但无法简单通过`npm install C@4.0.7`命令安装指定版本，因为在 package.json 中 A 只与 B 有依赖关系。 5. 因此需要手动修改 A 项目中的 package-lock.json 文件

latest version

1.1.0
latest non vulnerable version

1.1.0
first published

2 years ago
latest version published

2 years ago
licenses detected
- MIT
  >=1.0.1
View auto-package-lock package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

No direct vulnerabilities have been found for this package in Snyk’s vulnerability database. This does not include vulnerabilities belonging to this package’s dependencies.

Does your project rely on vulnerable package dependencies?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities (in both your packages & their dependencies) and provides automated fixes for free.

Scan for indirect vulnerabilities

Go back to all versions of this package

auto-package-lock@1.0.5 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities