试图弄清npm审核结果

时间:2019-01-02 13:56:25

标签: node.js reactjs npm webpack

背景

如果我在一年没有使用过的ReactJS应用程序上做过npm audit(直到最近),我将得到以下摘要:

found 356 vulnerabilities (321 low, 20 moderate, 14 high, 1 critical)
in 11345 scanned packages   run `npm audit fix` to fix 3 of them.  
353 vulnerabilities require semver-major dependency updates.

如果我这样做npm audit fix,则这3个漏洞已得到解决,其他漏洞并不是因为它们正在破坏变更。

再做一次npm audit,我会得到以下摘要:

found 71 vulnerabilities (36 low, 20 moderate, 14 high, 1 critical) in 11345 scanned packages
  71 vulnerabilities require semver-major dependency updates.

在审核的顶部:

  

运行npm install react-scripts@2.1.2解决71个漏洞SEMVER警告:建议采取的措施可能会造成重大变化

在完成npm install react-scripts@2.1.2之后,漏洞减少为1:

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance


High            Missing Origin Validation

Package         webpack-dev-server

Patched in      >=3.1.11

Dependency of   react-scripts

Path            react-scripts > webpack-dev-server

More info       https://nodesecurity.io/advisories/725

执行npm install webpack-dev-server@3.1.14之后,我会收到两个新问题:

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance


High            Missing Origin Validation

Package         webpack-dev-server

Patched in      >=3.1.11

Dependency of   react-scripts

Path            react-scripts > webpack-dev-server

More info       https://nodesecurity.io/advisories/725


High            Missing Origin Validation

Package         webpack-dev-server

Patched in      >=3.1.11

Dependency of   webpack-dev-server

Path            webpack-dev-server

More info       https://nodesecurity.io/advisories/725

更多信息链接建议更新到3.1.6版或更高版本。我要做的比那还要高...

问题

为了更好地了解npm audit的功能,我想讨论以下几点:

  1. 为什么npm install webpack-dev-server@3.1.14会增加问题,而不是解决前面提到的问题?看起来上一期甚至还没有解决……

  2. 为什么只解决了3个问题而总软件包数却不变,但漏洞计数却从356个下降到71个?

  3. 如果审计知道自3.1.11以来已解决此问题,为什么审计不建议我做npm install webpack-dev-server@3.1.11或更高级别?它确实知道npm install react-scripts@2.1.2早些是必要的。

  4. 我该如何解决问题1中提到的问题?

PS:nodesecurity链接建议将webpack-dev-server更新为3.1.6或更高版本。我的工作远不止于此...

PPS:我也尝试过npm install webpack-dev-server@3.1.11,没什么区别。

1 个答案:

答案 0 :(得分:1)

The advisory page for the webpack-dev-server vulnerability列出了最新版本为受影响的版本。根据{{​​3}}中的报告,这是由npm安全存储库中的错字引起的。几个小时后,错字已得到解决。