当我尝试使用 --depth 21 更新包时 NPM 崩溃
NPM crashes when I try to update a package with --depth 21
我正在尝试修复项目中的 npm 漏洞。在尝试 npm audit 时,我得到了修复其中一个软件包中漏洞的命令。
$ npm update kind-of --depth 21
在 运行 执行此命令时,我收到以下消息:
<--- Last few GCs --->
[27677:0x43e27b0] 655989 ms: Mark-sweep 1092.0 (1432.7) -> 1092.0 (1425.7) MB, 1401.7 / 0.0 ms (average mu = 0.031, current mu = 0.007) last resort GC in old space requested
[27677:0x43e27b0] 657562 ms: Mark-sweep 1092.0 (1425.7) -> 1092.0 (1425.7) MB, 1573.0 / 0.0 ms (average mu = 0.016, current mu = 0.000) last resort GC in old space requested
<--- JS stacktrace --->
==== JS stack trace =========================================
0: ExitFrame [pc: 0x6d8f26dbe1d]
Security context: 0x3d028b51e6e1 <JSObject>
1: isExtraneous(aka isExtraneous) [0x21dd9bc867d1] [/home/qburst/.nvm/versions/node/v10.13.0/lib/node_modules/npm/lib/install/is-extraneous.js:~4] [pc=0x6d8f2f64036](this=0x36cf643826f1 <undefined>,tree=0x0ca9a56e2291 <Node map = 0x391751aadd89>)
2: /* anonymous */ [0x219a048fa6f9] [/home/qburst/.nvm/versions/node/v10.13.0/lib/node_modules/npm/lib/out...
FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory
1: 0x8daaa0 node::Abort() [npm]
2: 0x8daaec [npm]
3: 0xad73ce v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [npm]
4: 0xad7604 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [npm]
5: 0xec4c32 [npm]
6: 0xed444f v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) [npm]
7: 0xea21e8 v8::internal::Factory::NewTransitionArray(int, int) [npm]
8: 0x11db913 v8::internal::TransitionsAccessor::Insert(v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Map>, v8::internal::SimpleTransitionFlag) [npm]
9: 0xfcb9b6 v8::internal::Map::ConnectTransition(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::SimpleTransitionFlag) [npm]
10: 0x1005d26 v8::internal::Map::CopyReplaceDescriptors(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::DescriptorArray>, v8::internal::Handle<v8::internal::LayoutDescriptor>, v8::internal::TransitionFlag, v8::internal::MaybeHandle<v8::internal::Name>, char const*, v8::internal::SimpleTransitionFlag) [npm]
11: 0x1007764 v8::internal::Map::CopyAddDescriptor(v8::internal::Handle<v8::internal::Map>, v8::internal::Descriptor*, v8::internal::TransitionFlag) [npm]
12: 0x1007943 v8::internal::Map::CopyWithField(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::FieldType>, v8::internal::PropertyAttributes, v8::internal::PropertyConstness, v8::internal::Representation, v8::internal::TransitionFlag) [npm]
13: 0x100cc55 v8::internal::Map::TransitionToDataProperty(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::PropertyConstness, v8::internal::Object::StoreFromKeyed) [npm]
14: 0xfb35b8 v8::internal::LookupIterator::PrepareTransitionToDataProperty(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::Object::StoreFromKeyed) [npm]
15: 0xff0109 v8::internal::Object::AddDataProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::ShouldThrow, v8::internal::Object::StoreFromKeyed) [npm]
16: 0x100ad7d v8::internal::Object::SetProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::Object::StoreFromKeyed) [npm]
17: 0x11654d5 v8::internal::Runtime::SetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode) [npm]
18: 0x1166630 v8::internal::Runtime_SetProperty(int, v8::internal::Object**, v8::internal::Isolate*) [npm]
19: 0x6d8f26dbe1d
[1] 27677 abort (core dumped) npm update kind-of --depth 21
有人可以帮我解决这个问题吗?谢谢。
我遇到了同样的错误,通过查看错误,我的直觉是 npm update 在依赖树的那个深度对于我们的默认资源设置 Node.js 是不可行的。 (我承认我没有对此进行更多研究)
假设我在上述推论中接近事实,我不建议增加任何此类默认资源限制,除非我们确定哪些值是安全和良好的。也因为这个问题只发生在使用 npm.
的极端情况下
我看到您试图通过 运行:
在依赖树的某个级别强制更新 kind-of
npm update kind-of --depth 21
但是,由于 kind-of 是一个使用非常广泛的包,我建议您检查所有其他级别的依赖树 (npm ls kind-of) 并确保是否修复了 kind-of 的仅在 depth 21 的版本将使您的 npm audit 干净。
解决方案(解决方法)
使用npm-force-resolutions。引用包的描述:
This packages modifies package-lock.json to force the installation of
specific version of a transitive dependency (dependency of
dependency), similar to yarn's selective dependency resolutions, but
without having to migrate to yarn.
在你使用它之前,让我也警告你
The use case for this is when there is a security vulnerability and
you MUST update a nested dependency otherwise your project would be
vulnerable. But this should only be used as a last resource, you
should first update your top-level dependencies and file an issue for
them to update the vulnerable sub-dependencies (npm ls can help you with that).
在您的 package.json 中,您只需添加一个 preinstall 脚本
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
和一个指令字段
"resolutions": {
"kind-of": ">=6.0.3"
}
(假设您想修复 kind-of 版本以摆脱 CVE-2019-20149)
我正在尝试修复项目中的 npm 漏洞。在尝试 npm audit 时,我得到了修复其中一个软件包中漏洞的命令。
$ npm update kind-of --depth 21
在 运行 执行此命令时,我收到以下消息:
<--- Last few GCs --->
[27677:0x43e27b0] 655989 ms: Mark-sweep 1092.0 (1432.7) -> 1092.0 (1425.7) MB, 1401.7 / 0.0 ms (average mu = 0.031, current mu = 0.007) last resort GC in old space requested
[27677:0x43e27b0] 657562 ms: Mark-sweep 1092.0 (1425.7) -> 1092.0 (1425.7) MB, 1573.0 / 0.0 ms (average mu = 0.016, current mu = 0.000) last resort GC in old space requested
<--- JS stacktrace --->
==== JS stack trace =========================================
0: ExitFrame [pc: 0x6d8f26dbe1d]
Security context: 0x3d028b51e6e1 <JSObject>
1: isExtraneous(aka isExtraneous) [0x21dd9bc867d1] [/home/qburst/.nvm/versions/node/v10.13.0/lib/node_modules/npm/lib/install/is-extraneous.js:~4] [pc=0x6d8f2f64036](this=0x36cf643826f1 <undefined>,tree=0x0ca9a56e2291 <Node map = 0x391751aadd89>)
2: /* anonymous */ [0x219a048fa6f9] [/home/qburst/.nvm/versions/node/v10.13.0/lib/node_modules/npm/lib/out...
FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory
1: 0x8daaa0 node::Abort() [npm]
2: 0x8daaec [npm]
3: 0xad73ce v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [npm]
4: 0xad7604 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [npm]
5: 0xec4c32 [npm]
6: 0xed444f v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) [npm]
7: 0xea21e8 v8::internal::Factory::NewTransitionArray(int, int) [npm]
8: 0x11db913 v8::internal::TransitionsAccessor::Insert(v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Map>, v8::internal::SimpleTransitionFlag) [npm]
9: 0xfcb9b6 v8::internal::Map::ConnectTransition(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::SimpleTransitionFlag) [npm]
10: 0x1005d26 v8::internal::Map::CopyReplaceDescriptors(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::DescriptorArray>, v8::internal::Handle<v8::internal::LayoutDescriptor>, v8::internal::TransitionFlag, v8::internal::MaybeHandle<v8::internal::Name>, char const*, v8::internal::SimpleTransitionFlag) [npm]
11: 0x1007764 v8::internal::Map::CopyAddDescriptor(v8::internal::Handle<v8::internal::Map>, v8::internal::Descriptor*, v8::internal::TransitionFlag) [npm]
12: 0x1007943 v8::internal::Map::CopyWithField(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::FieldType>, v8::internal::PropertyAttributes, v8::internal::PropertyConstness, v8::internal::Representation, v8::internal::TransitionFlag) [npm]
13: 0x100cc55 v8::internal::Map::TransitionToDataProperty(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::PropertyConstness, v8::internal::Object::StoreFromKeyed) [npm]
14: 0xfb35b8 v8::internal::LookupIterator::PrepareTransitionToDataProperty(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::Object::StoreFromKeyed) [npm]
15: 0xff0109 v8::internal::Object::AddDataProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::ShouldThrow, v8::internal::Object::StoreFromKeyed) [npm]
16: 0x100ad7d v8::internal::Object::SetProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::Object::StoreFromKeyed) [npm]
17: 0x11654d5 v8::internal::Runtime::SetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode) [npm]
18: 0x1166630 v8::internal::Runtime_SetProperty(int, v8::internal::Object**, v8::internal::Isolate*) [npm]
19: 0x6d8f26dbe1d
[1] 27677 abort (core dumped) npm update kind-of --depth 21
有人可以帮我解决这个问题吗?谢谢。
我遇到了同样的错误,通过查看错误,我的直觉是 npm update 在依赖树的那个深度对于我们的默认资源设置 Node.js 是不可行的。 (我承认我没有对此进行更多研究)
假设我在上述推论中接近事实,我不建议增加任何此类默认资源限制,除非我们确定哪些值是安全和良好的。也因为这个问题只发生在使用 npm.
我看到您试图通过 运行:
在依赖树的某个级别强制更新 kind-ofnpm update kind-of --depth 21
但是,由于 kind-of 是一个使用非常广泛的包,我建议您检查所有其他级别的依赖树 (npm ls kind-of) 并确保是否修复了 kind-of 的仅在 depth 21 的版本将使您的 npm audit 干净。
解决方案(解决方法)
使用npm-force-resolutions。引用包的描述:
This packages modifies
package-lock.jsonto force the installation of specific version of a transitive dependency (dependency of dependency), similar to yarn's selective dependency resolutions, but without having to migrate to yarn.
在你使用它之前,让我也警告你
The use case for this is when there is a security vulnerability and you MUST update a nested dependency otherwise your project would be vulnerable. But this should only be used as a last resource, you should first update your top-level dependencies and file an issue for them to update the vulnerable sub-dependencies (
npm lscan help you with that).
在您的 package.json 中,您只需添加一个 preinstall 脚本
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
和一个指令字段
"resolutions": {
"kind-of": ">=6.0.3"
}
(假设您想修复 kind-of 版本以摆脱 CVE-2019-20149)