这是我在package-lock.json中的node-gyp依赖项
"node-gyp": {
"version": "3.8.0",
"resolved": "http://nexus.prod-admin11.vip.aws1/nexus/content/groups/npm-edmunds/node-gyp/-/node-gyp-3.8.0.tgz",
"integrity": "sha512-3g8lYefrRRzvGeSowdJKAKyks8oUpLEd/DyPV4eMhVlhJ0aNaZqIrNUIPuEWWTAoPqyFkfGrM67MC69baqn6vA==",
"dev": true,
"requires": {
"fstream": "^1.0.0",
"glob": "^7.0.3",
"graceful-fs": "^4.1.2",
"mkdirp": "^0.5.0",
"nopt": "2 || 3",
"npmlog": "0 || 1 || 2 || 3 || 4",
"osenv": "0",
"request": "^2.87.0",
"rimraf": "2",
"semver": "~5.3.0",
"tar": "^2.0.0",
"which": "1"
},
"dependencies": {
"semver": {
"version": "5.3.0",
"resolved": "http://nexus.prod-admin11.vip.aws1/nexus/content/groups/npm-edmunds/semver/-/semver-5.3.0.tgz",
"integrity": "sha1-myzl094C0XxgEq0yaqa00M9U+U8=",
"dev": true
}
}
},
当我在此软件包中运行纱线审核时,我会变得非常脆弱:
node-sass> node-gyp> tar
node-sass> node-gyp> tar> fstream
node-sass> node-gyp> fstream
答案 0 :(得分:0)
这两个漏洞均在次要版本中进行了修补。如果要获取依赖关系的最新版本,可能需要删除锁定文件并重新安装。