我正在尝试修复项目中的npm漏洞。在尝试npm audit时,我得到了一个命令来修复其中一个软件包中的漏洞。
$ npm update kind-of --depth 21
在运行此命令时,我收到以下消息:
<--- Last few GCs --->
[27677:0x43e27b0] 655989 ms: Mark-sweep 1092.0 (1432.7) -> 1092.0 (1425.7) MB, 1401.7 / 0.0 ms (average mu = 0.031, current mu = 0.007) last resort GC in old space requested
[27677:0x43e27b0] 657562 ms: Mark-sweep 1092.0 (1425.7) -> 1092.0 (1425.7) MB, 1573.0 / 0.0 ms (average mu = 0.016, current mu = 0.000) last resort GC in old space requested
<--- JS stacktrace --->
==== JS stack trace =========================================
0: ExitFrame [pc: 0x6d8f26dbe1d]
Security context: 0x3d028b51e6e1 <JSObject>
1: isExtraneous(aka isExtraneous) [0x21dd9bc867d1] [/home/qburst/.nvm/versions/node/v10.13.0/lib/node_modules/npm/lib/install/is-extraneous.js:~4] [pc=0x6d8f2f64036](this=0x36cf643826f1 <undefined>,tree=0x0ca9a56e2291 <Node map = 0x391751aadd89>)
2: /* anonymous */ [0x219a048fa6f9] [/home/qburst/.nvm/versions/node/v10.13.0/lib/node_modules/npm/lib/out...
FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory
1: 0x8daaa0 node::Abort() [npm]
2: 0x8daaec [npm]
3: 0xad73ce v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [npm]
4: 0xad7604 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [npm]
5: 0xec4c32 [npm]
6: 0xed444f v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) [npm]
7: 0xea21e8 v8::internal::Factory::NewTransitionArray(int, int) [npm]
8: 0x11db913 v8::internal::TransitionsAccessor::Insert(v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Map>, v8::internal::SimpleTransitionFlag) [npm]
9: 0xfcb9b6 v8::internal::Map::ConnectTransition(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::SimpleTransitionFlag) [npm]
10: 0x1005d26 v8::internal::Map::CopyReplaceDescriptors(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::DescriptorArray>, v8::internal::Handle<v8::internal::LayoutDescriptor>, v8::internal::TransitionFlag, v8::internal::MaybeHandle<v8::internal::Name>, char const*, v8::internal::SimpleTransitionFlag) [npm]
11: 0x1007764 v8::internal::Map::CopyAddDescriptor(v8::internal::Handle<v8::internal::Map>, v8::internal::Descriptor*, v8::internal::TransitionFlag) [npm]
12: 0x1007943 v8::internal::Map::CopyWithField(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::FieldType>, v8::internal::PropertyAttributes, v8::internal::PropertyConstness, v8::internal::Representation, v8::internal::TransitionFlag) [npm]
13: 0x100cc55 v8::internal::Map::TransitionToDataProperty(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::PropertyConstness, v8::internal::Object::StoreFromKeyed) [npm]
14: 0xfb35b8 v8::internal::LookupIterator::PrepareTransitionToDataProperty(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::Object::StoreFromKeyed) [npm]
15: 0xff0109 v8::internal::Object::AddDataProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::ShouldThrow, v8::internal::Object::StoreFromKeyed) [npm]
16: 0x100ad7d v8::internal::Object::SetProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::Object::StoreFromKeyed) [npm]
17: 0x11654d5 v8::internal::Runtime::SetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode) [npm]
18: 0x1166630 v8::internal::Runtime_SetProperty(int, v8::internal::Object**, v8::internal::Isolate*) [npm]
19: 0x6d8f26dbe1d
[1] 27677 abort (core dumped) npm update kind-of --depth 21
有人可以帮我解决这个问题吗?谢谢。
答案 0 :(得分:1)
我遇到了相同的错误,从错误的角度来看,我的直觉是在{Node.js}的默认资源设置下,npm update在这种依赖树的深度是不可行的。 (我承认我对此没有做更多的研究)
假设我在上述推论中接近事实,除非建议我们确定哪些值是安全和良好的,否则我不建议您增加任何此类默认资源限制。同样是因为此问题仅在使用npm的情况下才发生。
我看到您正在尝试通过运行以下命令来在特定级别的依赖项树上强制更新kind-of:
npm update kind-of --depth 21
但是,由于kind-of是一个使用非常广泛的软件包,因此我建议您检查所有其他级别的依赖树(npm ls kind-of),并确保是否仅修复kind-of的版本depth 21处的npm audit干净。
使用npm-force-resolutions。引用包装说明:
此软件包修改了
package-lock.json,以强制安装 传递依赖项的特定版本( 依赖性),类似于yarn的选择性依赖性解析,但 无需迁移到yarn。
在使用它之前,让我也警告您
此用例是存在安全漏洞并且 您必须更新嵌套的依赖项,否则您的项目将是 脆弱的。但这只能用作最后的资源,您 应该首先更新您的顶级依赖关系,并为 他们可以更新易受攻击的子依赖项(
npm ls可以帮助您)。
在您的package.json中,您只需要添加一个preinstall脚本
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
和指令字段
"resolutions": {
"kind-of": ">=6.0.3"
}
(假设您要修复kind-of版本以摆脱CVE-2019-20149)