在我的有角项目中,我运行"0 YEAR, 9 MONTHS",
"1 YEAR, 0 MONTHS",
"1 YEAR, 1 MONTHS",
"1 YEAR, 10 MONTHS",
"1 YEAR, 9 MONTHS",
"10 YEAR, 0 MONTHS",
"10 YEAR, 1 MONTHS",
"10 YEAR, 10 MONTHS",
来检查安全漏洞,基于该文档,我可以理解大部分报告。
但还没有完全了解npm audit部分,相关报告如下:
manual review所以我的理解是:# Run npm install jquery@3.4.1 to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate Prototype Pollution
Package jquery
Dependency of jquery
Path jquery
More info https://nodesecurity.io/advisories/796
High Cross-Site Scripting (XSS)
Package jquery
Dependency of jquery
Path jquery
More info https://nodesecurity.io/advisories/328
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Prototype Pollution
Package jquery
Patched in >=3.4.0
Dependency of ms-signalr-client
Path ms-signalr-client > jquery
More info https://nodesecurity.io/advisories/796
High Cross-Site Scripting (XSS)
Package jquery
Patched in >=3.0.0
Dependency of ms-signalr-client
Path ms-signalr-client > jquery
More info https://nodesecurity.io/advisories/328
有一些安全问题,而jquery是jquery的依赖项。我还检查了ms-signalr-client中是否使用了ms-signalr-client,而不是package.json中的dependency。因此,我需要对其进行修复,因为它会影响生产代码。对?
因此devDependency意味着如果我将SEMVER WARNING升级到3.4.1,则jquery可能会损坏。对?
那我能做什么?下一步是使ms-signalr-client支持升级后的ms-signalr-client,对吗?
那么,最佳做法是什么?我当前的计划目前正在跳过。谢谢。