node.js - 当我尝试使用 --depth 21 更新包时,NPM 崩溃
问题描述
我正在尝试修复项目中的 npm 漏洞。在尝试npm audit时,我得到了一个命令来修复其中一个包中的漏洞。
$ npm update kind-of --depth 21
运行此命令时,我收到以下消息:
<--- Last few GCs --->
[27677:0x43e27b0] 655989 ms: Mark-sweep 1092.0 (1432.7) -> 1092.0 (1425.7) MB, 1401.7 / 0.0 ms (average mu = 0.031, current mu = 0.007) last resort GC in old space requested
[27677:0x43e27b0] 657562 ms: Mark-sweep 1092.0 (1425.7) -> 1092.0 (1425.7) MB, 1573.0 / 0.0 ms (average mu = 0.016, current mu = 0.000) last resort GC in old space requested
<--- JS stacktrace --->
==== JS stack trace =========================================
0: ExitFrame [pc: 0x6d8f26dbe1d]
Security context: 0x3d028b51e6e1 <JSObject>
1: isExtraneous(aka isExtraneous) [0x21dd9bc867d1] [/home/qburst/.nvm/versions/node/v10.13.0/lib/node_modules/npm/lib/install/is-extraneous.js:~4] [pc=0x6d8f2f64036](this=0x36cf643826f1 <undefined>,tree=0x0ca9a56e2291 <Node map = 0x391751aadd89>)
2: /* anonymous */ [0x219a048fa6f9] [/home/qburst/.nvm/versions/node/v10.13.0/lib/node_modules/npm/lib/out...
FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory
1: 0x8daaa0 node::Abort() [npm]
2: 0x8daaec [npm]
3: 0xad73ce v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [npm]
4: 0xad7604 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [npm]
5: 0xec4c32 [npm]
6: 0xed444f v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) [npm]
7: 0xea21e8 v8::internal::Factory::NewTransitionArray(int, int) [npm]
8: 0x11db913 v8::internal::TransitionsAccessor::Insert(v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Map>, v8::internal::SimpleTransitionFlag) [npm]
9: 0xfcb9b6 v8::internal::Map::ConnectTransition(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::SimpleTransitionFlag) [npm]
10: 0x1005d26 v8::internal::Map::CopyReplaceDescriptors(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::DescriptorArray>, v8::internal::Handle<v8::internal::LayoutDescriptor>, v8::internal::TransitionFlag, v8::internal::MaybeHandle<v8::internal::Name>, char const*, v8::internal::SimpleTransitionFlag) [npm]
11: 0x1007764 v8::internal::Map::CopyAddDescriptor(v8::internal::Handle<v8::internal::Map>, v8::internal::Descriptor*, v8::internal::TransitionFlag) [npm]
12: 0x1007943 v8::internal::Map::CopyWithField(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::FieldType>, v8::internal::PropertyAttributes, v8::internal::PropertyConstness, v8::internal::Representation, v8::internal::TransitionFlag) [npm]
13: 0x100cc55 v8::internal::Map::TransitionToDataProperty(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::PropertyConstness, v8::internal::Object::StoreFromKeyed) [npm]
14: 0xfb35b8 v8::internal::LookupIterator::PrepareTransitionToDataProperty(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::Object::StoreFromKeyed) [npm]
15: 0xff0109 v8::internal::Object::AddDataProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::ShouldThrow, v8::internal::Object::StoreFromKeyed) [npm]
16: 0x100ad7d v8::internal::Object::SetProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::Object::StoreFromKeyed) [npm]
17: 0x11654d5 v8::internal::Runtime::SetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode) [npm]
18: 0x1166630 v8::internal::Runtime_SetProperty(int, v8::internal::Object**, v8::internal::Isolate*) [npm]
19: 0x6d8f26dbe1d
[1] 27677 abort (core dumped) npm update kind-of --depth 21
有人可以帮我解决这个问题吗?谢谢你。
解决方案
我遇到了同样的错误,通过查看错误,我的直觉是,npm update在依赖树的深度,使用 Node.js 的默认资源设置是不可行的。(我承认我没有对此进行更多研究)
假设我在上述推论中接近事实,我不建议增加任何此类默认资源限制,除非我们确定哪些值是安全和好的。也因为这个问题只发生在使用npm.
我看到您试图通过运行以下命令强制更新某种依赖关系树级别的类型:
npm update kind-of --depth 21
但是,由于kind-of是一个使用非常广泛的包,我建议您检查所有其他级别的依赖树 ( npm ls kind-of) 并确保仅修复kind-of的版本depth 21是否会使您npm audit干净。
解决方案(解决方法)
使用npm-force-resolutions。引用包的描述:
这个包修改
package-lock.json为强制安装特定版本的传递依赖(依赖的依赖),类似于yarn的选择性依赖解决方案,但不必迁移到yarn。
在你使用它之前,让我也警告你
这种情况的用例是存在安全漏洞并且您必须更新嵌套依赖项,否则您的项目将易受攻击。但这应该只用作最后一个资源,您应该首先更新您的顶级依赖项并提交一个问题让他们更新易受攻击的子依赖项(
npm ls可以帮助您)。
在你的package.json,你只需要添加一个preinstall脚本
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
和一个指令字段
"resolutions": {
"kind-of": ">=6.0.3"
}
(假设您想修复某种版本以摆脱CVE-2019-20149)
推荐阅读
- automation - 如何自动化 Visual Studio 发布和附加调试器?
- java - 正则表达式 - 在文件中查找所有字符串函数参数
- python - kivy garden graph 问题 命令失败:garden install --app grap
- telegram - 我可以在没有管理员权限的情况下在电报组中阅读和发帖吗
- php - 如何解决 PHP 中的“mysqli_stmt_bind_param”问题?
- c# - 带有脊状人形机器人的手臂摆动
- azure-functions - Azure 功能 v3 的 Application Insights 刀片灰显
- c++ - 是否可以在 c++11 的整个 unordered_multimap 中将所有键值作为对交换?
- python - 使用 cross_val_predict 与 cross_val_score 时,scikit-learn 的分数不同
- git - github:如何记录合并冲突