解决 Github Security报错 Dependabot cannot update to the required version

问题描述

Dependabot cannot update to the required version
View details about this error or learn more about Dependabot security updates.

1 kind-of vulnerability found in **package-lock.json** on 3 Apr
**Remediation**
Upgrade **kind-of** to version **6.0.3** or later. For example:
"dependencies": {
  "kind-of": ">=6.0.3"
}
or…
"devDependencies": {
  "kind-of": ">=6.0.3"
}
Always verify the validity and compatibility of suggestions with your codebase.

分析

大概是说package-lock.json文件中的kind-of依赖项版本太低,让我修改到6.0.3版本以上.
但是我打开package-lock.json这个文件查看了一下,各种依赖项密密麻麻,我是不能看手动去一个一个更改的.

解决方案

我们知道,这个package-lock.json文件是,npm install安装的时候自动生成的.
我如果重新安装一遍,会自动生成这个package-lock.json文件.

具体做法

将目录node_modules/和文件package-lock.json删除掉,保留package.json文件,然后执行npm install命令重新安装插件即可:

删除node_modules目录和package-lock.json文件

删除之前的站点目录:

lan@DESKTOP-8ISAT6B MINGW64 /e/Blog/blog (master)
$ ls
_admin-config.yml  FM.properties  HexoS.sh*      node_modules/      scaffolds/        themes/
_config.yml        HexoD.bat      HexoSTest.bat  package.json       source/
db.json            HexoS.bat      KillBlog.sh    package-lock.json  StartWriting.bat

删除后的站点目录:

lan@DESKTOP-8ISAT6B MINGW64 /e/Blog/blog (master)
$ ls
_admin-config.yml  db.json        HexoD.bat  HexoS.sh*      KillBlog.sh   scaffolds/  StartWriting.bat
_config.yml        FM.properties  HexoS.bat  HexoSTest.bat  package.json  source/     themes/

重新安装package.json中的插件

npm install

安装之后:

lan@DESKTOP-8ISAT6B MINGW64 /e/Blog/blog (master)
$ ls
_admin-config.yml  FM.properties  HexoS.sh*      node_modules/      scaffolds/        themes/
_config.yml        HexoD.bat      HexoSTest.bat  package.json       source/
db.json            HexoS.bat      KillBlog.sh    package-lock.json  StartWriting.bat

可以看到package-lock.json文件又回来了,里面的依赖版本也都更新到最新的版本了.

推送到Github

git add .
git commit

刷新GitHub仓库页面,可以看到上面的Security警告消失了。