我最近使用ng update更新了我的angular版本
并且在运行npm audit时发现了1个严重漏洞,但未提供解决建议。通常建议从package.json升级软件包,例如:“ angular-devkit / build-angular”,但我已经在使用其最新版本。
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
我考虑安装npm i tar,但不确定。
答案 0 :(得分:6)
angular-cli依赖于node-gyp,对此有一个未解决的问题:https://github.com/nodejs/node-gyp/issues/1714
要解决此问题,可以先修补node-gyp,然后修补angular,以使用修补的node-gyp。或者等待,希望他们会尽快解决。
答案 1 :(得分:5)
以下对我有用:
转到node_modules> node_gyp> package.json,然后在依赖项下找到tar,然后将2.0.0替换为4.4.8。
然后运行:
您应该看到0个漏洞。
我更新了一些有角度的项目,每个项目都有相同的问题。始终执行上述操作。
答案 2 :(得分:1)
您应该在package-lock.json中搜索以下内容:
"tar": {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
为此而重新放置:
"tar": {
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
对我有用