node.js - npm deep audit vulnerability
问题描述
Background:
I wanted to move to Koa from express, however, I also use socket.io for much of my work, and need to share sessions across connection types. Enter koa-socket-session.
When I install this, npm is faithful to warn me that there is one High severity vulnerability:
koa-socket-session > koa-socket.io > socket.io > socket.io-client > engine.io-client > parsejson
Being the nice dev that I am, I decide I'll fork it and submit a patch.
Within a few moments, I realize that the problem is there is a very old version of socket.io required by koa-socket.io. I figure I'll just fix up the breaking changes, submit a patch and be good to go. BUT...
Problem
After I patch that issue, even if there are no breaking changes for the rest of the line up to my project, there ARE major version number changes, so I have to fork each one of those projects to fix the dependency chain.
However, until the previous fork is pulled into the main branch, if it ever even is, I can't patch the next step without pointing the dependency to my own fork and splitting all of their code bases. This could take months, years or maybe never even happen if my pull requests are not accepted.
Solutions?
The only solutions I can come up with are:
- Build an entirely new chain of dependencies, give them all new names, publish them on npmjs and github and abandon all the current packages.
- Merge all of the dependencies into one, and publish them as a self-contained package
Clearly, either method would be a complete violation of the community standards, I am REALLY not looking to usurp all these projects and chances are, and my forks would never be used by anyone but me, so I'd fall behind everyone else.
I imagine this problem comes up hundreds of times every day, and with such a tried and true system like npm, there must be a standard way to handle it, but I could not find the "right" solution out there anywhere. What is the correct method to handle this?
解决方案
推荐阅读
- spring - spring 仅对某些方面 bean 启用 aspectj-autoproxy
- python - Heroku 收集静态手册
- meeting-request - Google Meet:如何获取网址?
- javascript - Tempalte 文件不会在浏览器中更新
- vaadin - Vaadin 14:交换组合框下拉图标
- reactjs - React typescript - 类型必须有一个返回迭代器的“[Symbol.iterator]()”方法
- python - python - 如何在python中保存一个特定列的数据类型必须为int32的csv文件?
- xamarin - 带有 Material Visual 的条目集中在 Xamarin Forms Android 中时的灰线
- gams-math - 如何加快 GAMS 中的模型生成过程
- vue.js - 仅在按下键时处理 VueJS 事件