更新或安装后，节点模块的依赖项是否不会更新？

Question

我想在我的应用程序中使用react-highcharts。我使用了npm install react-highcharts，它成功了，并显示以下警告：

found 1 high severity vulnerability, run `npm audit fix` to fix them, or `npm audit` for details.

npm audit fix什么也没做；它说我必须手动解决这个问题。我运行npm audit查看发生了什么，并获得了

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ highcharts                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.2.2 <8.0.0 || >=8.1.1                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-highcharts                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-highcharts > highcharts                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1227                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 994 scanned packages
  1 vulnerability requires manual review. See the full report for details.

"More info" link和"Patched in“行显示这是在highcharts >=8.1.1中修复的。最新的版本是highcharts@9.0.0，所以我决定更新它：

❯ npm update highcharts -dd
npm info it worked if it ends with ok
npm verb cli [
npm verb cli   '/usr/local/bin/node',
npm verb cli   '/usr/local/bin/npm',
npm verb cli   'update',
npm verb cli   'highcharts',
npm verb cli   '-dd'
npm verb cli ]
npm info using npm@6.14.10
npm info using node@v14.15.4
npm verb npm-session 0b92b8dc64938cea
npm verb update computing outdated modules to update
npm verb exit [ 0, true ]
npm timing npm Completed in 1507ms
npm info ok

“如果它以ok结尾，它就能工作”，但是你看：

❯ npm list highcharts
myproj@1.0.0 /Users/actinidia/myproj
└─┬ react-highcharts@16.1.0
  └── highcharts@6.2.0

我还有highcharts@6.2.0！运行npm install highcharts只会导致highcharts的第二个副本，尽管新版本确实是9.0.0版：

├── highcharts@9.0.0
└─┬ react-highcharts@16.1.0
  └── highcharts@6.2.0

如何更新react-highcharts将使用的依赖项？

Answer 1

您应该先卸载highcharts，然后再安装。

npm uninstall react-highcharts
npm install react-highcharts

Answer 2

我跟随ppotaczek's advice并安装了Highcharts官方支持的包装器。很简单，就像

❯ npm install highcharts-react-official
npm WARN highcharts-react-official@3.0.0 requires a peer of highcharts@>=6.0.0
but none is installed. You must install peer dependencies yourself.

+ highcharts-react-official@3.0.0
added 1 package and audited 992 packages in 4.48s

❯ npm install highcharts
+ highcharts@9.0.0
added 1 package from 1 contributor and audited 993 packages in 4.978s

Answer 3

删除已安装的: node_modules和package-lock.json修改package.json格式，如下所示--强制npm install