如何修复 package-lock.json 中未在 package.json 中列出的易受攻击的 npm 包?

听起来 Hoek 是您的一个依赖项的依赖项(因此，您在 package.json 中的一个包需要它自己的 package.json).

It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it's own package.json).

您已经尝试删除/重新安装和更新您的项目依赖项但没有成功，因此似乎有问题的包依赖项指定了显式或最大版本.

You've already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.

如果没有看到每个依赖项的 package.json，就很难就如何强制更新提供进一步建议.

Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.

为了帮助您确定哪些包正在使用哪些依赖项，您可以使用 NPM 的 ls 命令:https://docs.npmjs.com/cli/ls

To help you identify which packages are using which dependencies, you can use NPM's ls command: https://docs.npmjs.com/cli/ls

例如，查看哪些包在使用 Hoek:npm ls hoek

For example, to see which packages are using Hoek: npm ls hoek

编辑 2:正如 Ulysse BN 正确指出的那样，如果您有 NPM 版本 6 或更高版本，您可以使用 npm audit fix 要求 NPM 尝试为您修复漏洞.

Edit 2: As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fix to ask NPM to attempt to fix the vulnerabilities for you.

编辑 3:阅读本文的人还应该查看下面 JBallin 的回答.它扩展了我在这里提供的信息，并且(在我看来)是一个更结构化的答案，可以更好地解决 OP 的问题.但是 - 如果您想要快速修复 - 这个答案就足够了.

Edit 3: Those reading this should also check out JBallin's answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP's question better. However - if you want a quick fix - this answer should suffice.