npm显示严重性漏洞Laravel

时间:2018-08-01 11:10:56

标签: node.js laravel laravel-5 npm

npm显示严重性漏洞,但使用

npm chache clear
npm cache clear --force
npm audit fix
npm install

我已经尝试了所有方法,但是都没有解决我的问题,请给出一些解决方法?

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 1505 packages from 755 contributors and audited 18951 packages in 378.007s
found 11 moderate severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

运行npm audit fix个结果

>npm audit fix npm WARN ajv-keywords@3.2.0 requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}) up to date in 118.757s fixed 0 of 11 vulnerabilities in 18990 scanned packages 11 vulnerabilities required manual review and could not be updated

和我的package.json 

{
    "private": true,
    "scripts": {
        "dev": "npm run development",
        "development": "cross-env NODE_ENV=development node_modules/webpack/bin/webpack.js --progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js",
        "watch": "npm run development -- --watch",
        "watch-poll": "npm run watch -- --watch-poll",
        "hot": "cross-env NODE_ENV=development node_modules/webpack-dev-server/bin/webpack-dev-server.js --inline --hot --config=node_modules/laravel-mix/setup/webpack.config.js",
        "prod": "npm run production",
        "production": "cross-env NODE_ENV=production node_modules/webpack/bin/webpack.js --no-progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js"
    },
    "devDependencies": {
        "axios": "^0.18",
        "babel-preset-react": "^6.24.1",
        "bootstrap": "^4.0.0",
        "cross-env": "^5.1",
        "jquery": "^3.2",
        "laravel-mix": "^2.0",
        "lodash": "^4.17.4",
        "popper.js": "^1.12",
        "vue": "^2.5.7"
    },
    "dependencies": []
}

3 个答案:

答案 0 :(得分:1)

由于hoektunnel-agent,当前的Laravel package.json具有此漏洞。 laravel-mix正在使用软件包,并通过其package.json加载它们。

在此处查看有关问题的更多信息: https://nodesecurity.io/advisories/566
https://nodesecurity.io/advisories/598

如果删除"laravel-mix": "^2.0",漏洞将消失,但您将无法再使用Laravel Mix。

根据讨论here,我认为该问题已解决。

答案 1 :(得分:1)

如果仍然有人有兴趣解决此问题,我会在Google上搜索并找到此解决方案

将此键值附加到“ package.json”文件中的脚本部分

"scripts": {
    ...
    "preinstall": "npx npm-force-resolutions", // <-- appended
},

然后在“脚本”部分之后添加一个新部分,如下所示:

"resolutions": { // <-- appended
    "yargs-parser": "^18.1.3" 
},

现在保存文件并运行“ npm install”,漏洞消失了:)

答案 2 :(得分:0)

这意味着,您下载的软件包中有11个严重漏洞。

运行npm audit,它将向您显示受影响的软件包。然后清楚地检查作者是否提供了更新。如果没有,您可以自己修复它,这可能很难,因为您不了解它们的来源...

但是,大多数最新的软件包都以较新的版本提供了修复。

相关问题
最新问题