有没有办法在 NPM 中查看依赖项的依赖项
Is there a way to see dependencies of dependencies in NPM
我有一个 angular 项目,我在 Windows 10 机器上开发,在 Github Actions 上使用 ubuntu 进行测试,并希望在我的本地 Linux 服务器,以确保我已按应有的方式设置所有内容,并且没有一些隐藏的依赖项。
Github's dependabot and snyk.io 都告诉我潜在的漏洞,但最近我在我的本地 Linux 服务器上做了一个相当全新的安装 npm ci 并注意到几个关于中断更改和弃用软件包的警告:
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm audit 向我展示了其中一个包 @angular-devkit/build-webpack 的详细信息,它隐含地导入了 chokidar@2.1.8,但其余的对我来说是不可见的。
我知道我没有明确导入这些包,所以我的问题是
是否有 npm 命令告诉我哪个包正在导入已弃用的包
package.json
{
"name": "scrum-timer",
"version": "0.2.24",
"license": "MIT",
"scripts": {
"ng": "ng",
"start": "node server.js",
"build": "ng build",
"test": "ng test",
"lint": "ng lint",
"e2e": "ng e2e",
"bump-version": "npm version patch -m \"Bump version to %s\" && git push --tags",
"deploy": "ng build --base-href \"https://josste.github.io/ScrumTimer/\" && cp ./dist/index.html ./dist/404.html && angular-cli-ghpages –-no-silent"
},
"private": true,
"dependencies": {
"@angular/animations": "^12.1.0",
"@angular/common": "^12.1.0",
"@angular/compiler": "^12.1.0",
"@angular/core": "^12.1.0",
"@angular/forms": "^12.1.0",
"@angular/platform-browser": "^12.1.0",
"@angular/platform-browser-dynamic": "^12.1.0",
"@babel/polyfill": "^7.12.1",
"bootstrap": "^4.5.3",
"core-js": "^3.15.1",
"diff": "^5.0.0",
"font-awesome": "^4.7.0",
"jquery": "^3.6.0",
"npm": "^7.19.0",
"popper.js": "^1.16.0",
"rxjs": "^6.6.7",
"rxjs-compat": "^6.6.7",
"tether": "^1.4.7",
"tslib": "^2.2.0",
"zone.js": "~0.11.4"
},
"devDependencies": {
"@angular-devkit/build-angular": "^0.1102.10",
"@angular/cli": "^11.2.10",
"@angular/compiler-cli": "^11.2.11",
"@angular/language-service": "^11.2.11",
"@angular/router": "^11.2.11",
"@types/jasmine": "~3.6.0",
"@types/jasminewd2": "^2.0.8",
"@types/node": "^13.13.34",
"angular-cli-ghpages": "^0.6.2",
"codelyzer": "^6.0.0",
"jasmine-core": "~3.6.0",
"jasmine-spec-reporter": "~5.0.0",
"karma": "~6.3.2",
"karma-chrome-launcher": "~3.1.0",
"karma-cli": "~2.0.0",
"karma-coverage-istanbul-reporter": "~3.0.2",
"karma-jasmine": "~4.0.0",
"karma-jasmine-html-reporter": "^1.5.0",
"protractor": "~7.0.0",
"ts-node": "~8.8.2",
"eslint": "^7.14.0",
"typescript": "~4.1.5"
}
}
解决方案:
根据RobC
npm ls har-validator@5.1.5 resolve-url@0.2.1 chokidar@2.1.8 uuid@3.4.0给出了漂亮的依赖关系图:
考虑使用 npm ls 命令。
例如:
首先cd到你的项目目录
然后运行:
npm ls har-validator@5.1.5 resolve-url@0.2.1 chokidar@2.1.8 uuid@3.4.0
这将向 stdout 打印一个树结构,显示上述 npm ls 命令中列出的包的每个特定版本。
例如,给定以下树片段:
└─┬ npm@7.19.1
└─┬ node-gyp@7.1.2
└─┬ request@2.88.2
├── har-validator@5.1.5
└── uuid@3.4.0
...
我们可以确定:
- 两者都有;
har-validator@5.1.5 和 uuid@3.4.0 是 request@2.88.2 的依赖项
request@2.88.2 是 node-gyp@7.1.2node-gyp@7.1.2 是 npm@7.19.1
我有一个 angular 项目,我在 Windows 10 机器上开发,在 Github Actions 上使用 ubuntu 进行测试,并希望在我的本地 Linux 服务器,以确保我已按应有的方式设置所有内容,并且没有一些隐藏的依赖项。
Github's dependabot and snyk.io 都告诉我潜在的漏洞,但最近我在我的本地 Linux 服务器上做了一个相当全新的安装 npm ci 并注意到几个关于中断更改和弃用软件包的警告:
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm audit 向我展示了其中一个包 @angular-devkit/build-webpack 的详细信息,它隐含地导入了 chokidar@2.1.8,但其余的对我来说是不可见的。
我知道我没有明确导入这些包,所以我的问题是
是否有 npm 命令告诉我哪个包正在导入已弃用的包
package.json
{
"name": "scrum-timer",
"version": "0.2.24",
"license": "MIT",
"scripts": {
"ng": "ng",
"start": "node server.js",
"build": "ng build",
"test": "ng test",
"lint": "ng lint",
"e2e": "ng e2e",
"bump-version": "npm version patch -m \"Bump version to %s\" && git push --tags",
"deploy": "ng build --base-href \"https://josste.github.io/ScrumTimer/\" && cp ./dist/index.html ./dist/404.html && angular-cli-ghpages –-no-silent"
},
"private": true,
"dependencies": {
"@angular/animations": "^12.1.0",
"@angular/common": "^12.1.0",
"@angular/compiler": "^12.1.0",
"@angular/core": "^12.1.0",
"@angular/forms": "^12.1.0",
"@angular/platform-browser": "^12.1.0",
"@angular/platform-browser-dynamic": "^12.1.0",
"@babel/polyfill": "^7.12.1",
"bootstrap": "^4.5.3",
"core-js": "^3.15.1",
"diff": "^5.0.0",
"font-awesome": "^4.7.0",
"jquery": "^3.6.0",
"npm": "^7.19.0",
"popper.js": "^1.16.0",
"rxjs": "^6.6.7",
"rxjs-compat": "^6.6.7",
"tether": "^1.4.7",
"tslib": "^2.2.0",
"zone.js": "~0.11.4"
},
"devDependencies": {
"@angular-devkit/build-angular": "^0.1102.10",
"@angular/cli": "^11.2.10",
"@angular/compiler-cli": "^11.2.11",
"@angular/language-service": "^11.2.11",
"@angular/router": "^11.2.11",
"@types/jasmine": "~3.6.0",
"@types/jasminewd2": "^2.0.8",
"@types/node": "^13.13.34",
"angular-cli-ghpages": "^0.6.2",
"codelyzer": "^6.0.0",
"jasmine-core": "~3.6.0",
"jasmine-spec-reporter": "~5.0.0",
"karma": "~6.3.2",
"karma-chrome-launcher": "~3.1.0",
"karma-cli": "~2.0.0",
"karma-coverage-istanbul-reporter": "~3.0.2",
"karma-jasmine": "~4.0.0",
"karma-jasmine-html-reporter": "^1.5.0",
"protractor": "~7.0.0",
"ts-node": "~8.8.2",
"eslint": "^7.14.0",
"typescript": "~4.1.5"
}
}
解决方案:
根据RobC
npm ls har-validator@5.1.5 resolve-url@0.2.1 chokidar@2.1.8 uuid@3.4.0给出了漂亮的依赖关系图:
考虑使用 npm ls 命令。
例如:
首先
cd到你的项目目录然后运行:
npm ls har-validator@5.1.5 resolve-url@0.2.1 chokidar@2.1.8 uuid@3.4.0
这将向 stdout 打印一个树结构,显示上述 npm ls 命令中列出的包的每个特定版本。
例如,给定以下树片段:
└─┬ npm@7.19.1
└─┬ node-gyp@7.1.2
└─┬ request@2.88.2
├── har-validator@5.1.5
└── uuid@3.4.0
...
我们可以确定:
- 两者都有;
har-validator@5.1.5和uuid@3.4.0是request@2.88.2 的依赖项
request@2.88.2是node-gyp@7.1.2 的依赖项
node-gyp@7.1.2是npm@7.19.1 的依赖项