背景
如果我在一年没有使用过的ReactJS应用程序上做过npm audit
(直到最近),我将得到以下摘要:
found 356 vulnerabilities (321 low, 20 moderate, 14 high, 1 critical)
in 11345 scanned packages run `npm audit fix` to fix 3 of them.
353 vulnerabilities require semver-major dependency updates.
如果我这样做npm audit fix
,则这3个漏洞已得到解决,其他漏洞并不是因为它们正在破坏变更。
再做一次npm audit
,我会得到以下摘要:
found 71 vulnerabilities (36 low, 20 moderate, 14 high, 1 critical) in 11345 scanned packages
71 vulnerabilities require semver-major dependency updates.
在审核的顶部:
运行
npm install react-scripts@2.1.2
解决71个漏洞SEMVER警告:建议采取的措施可能会造成重大变化
在完成npm install react-scripts@2.1.2
之后,漏洞减少为1:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of react-scripts
Path react-scripts > webpack-dev-server
More info https://nodesecurity.io/advisories/725
执行npm install webpack-dev-server@3.1.14
之后,我会收到两个新问题:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of react-scripts
Path react-scripts > webpack-dev-server
More info https://nodesecurity.io/advisories/725
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of webpack-dev-server
Path webpack-dev-server
More info https://nodesecurity.io/advisories/725
更多信息链接建议更新到3.1.6版或更高版本。我要做的比那还要高...
问题
为了更好地了解npm audit
的功能,我想讨论以下几点:
为什么npm install webpack-dev-server@3.1.14
会增加问题,而不是解决前面提到的问题?看起来上一期甚至还没有解决……
为什么只解决了3个问题而总软件包数却不变,但漏洞计数却从356个下降到71个?
如果审计知道自3.1.11以来已解决此问题,为什么审计不建议我做npm install webpack-dev-server@3.1.11
或更高级别?它确实知道npm install react-scripts@2.1.2
早些是必要的。
我该如何解决问题1中提到的问题?
PS:nodesecurity链接建议将webpack-dev-server
更新为3.1.6或更高版本。我的工作远不止于此...
PPS:我也尝试过npm install webpack-dev-server@3.1.11
,没什么区别。
答案 0 :(得分:1)
The advisory page for the webpack-dev-server
vulnerability列出了最新版本为受影响的版本。根据{{3}}中的报告,这是由npm安全存储库中的错字引起的。几个小时后,错字已得到解决。