安装npm时发现12个严重漏洞

时间:2019-06-17 09:57:07

标签: npm

在角度8中,当我安装了npm时,发现了12个严重性高的漏洞。

版本:-

Angular CLI: 8.0.3
Node: 10.16.0
OS: linux x64
Angular: 8.0.1
... animations, cdk, common, compiler, compiler-cli, core, forms
... language-service, material, platform-browser
... platform-browser-dynamic, platform-server, router

Package                           Version
-----------------------------------------------------------
@angular-devkit/architect         0.800.3
@angular-devkit/build-angular     0.800.3
@angular-devkit/build-optimizer   0.800.3
@angular-devkit/build-webpack     0.800.3
@angular-devkit/core              8.0.3
@angular-devkit/schematics        8.0.3
@angular/cli                      8.0.3
@angular/fire                     5.2.1
@angular/flex-layout              8.0.0-beta.26
@angular/http                     7.2.15
@ngtools/webpack                  8.0.3
@schematics/angular               8.0.3
@schematics/update                0.800.3
rxjs                              6.5.2
typescript                        3.4.5
webpack                           4.30.0

当我运行命令npm audit然后显示

     === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             

          Visit https://go.npm.me/audit-guide for additional guidance           


  High            Arbitrary File Overwrite                                      

  Package         fstream                                                       

  Patched in      >=1.0.12                                                      

  Dependency of   npm                                                           

  Path            npm > libcipm > npm-lifecycle > node-gyp > fstream            

  More info       https://npmjs.com/advisories/886                              


  High            Arbitrary File Overwrite                                      

  Package         fstream                                                       

  Patched in      >=1.0.12                                                      

  Dependency of   npm                                                           

  Path            npm > libcipm > npm-lifecycle > node-gyp > tar > fstream      

  More info       https://npmjs.com/advisories/886                              


  High            Arbitrary File Overwrite                                      

  Package         fstream                                                       

  Patched in      >=1.0.12                                                      

  Dependency of   npm                                                           

  Path            npm > libnpm > npm-lifecycle > node-gyp > fstream             

  More info       https://npmjs.com/advisories/886                              


  High            Arbitrary File Overwrite                                      

  Package         fstream                                                       

  Patched in      >=1.0.12                                                      

  Dependency of   npm                                                           

  Path            npm > libnpm > npm-lifecycle > node-gyp > tar > fstream       

  More info       https://npmjs.com/advisories/886                              


  High            Arbitrary File Overwrite                                      

  Package         fstream                                                       

  Patched in      >=1.0.12                                                      

  Dependency of   npm                                                           

  Path            npm > node-gyp > fstream                                      

  More info       https://npmjs.com/advisories/886                              


  High            Arbitrary File Overwrite                                      

  Package         fstream                                                       

  Patched in      >=1.0.12                                                      

  Dependency of   npm                                                           

  Path            npm > node-gyp > tar > fstream                                

  More info       https://npmjs.com/advisories/886                              


  High            Arbitrary File Overwrite                                      

  Package         fstream                                                       

  Patched in      >=1.0.12                                                      

  Dependency of   npm                                                           

  Path            npm > npm-lifecycle > node-gyp > fstream                      

  More info       https://npmjs.com/advisories/886                              


  High            Arbitrary File Overwrite                                      

  Package         fstream                                                       

  Patched in      >=1.0.12                                                      

  Dependency of   npm                                                           

  Path            npm > npm-lifecycle > node-gyp > tar > fstream                

  More info       https://npmjs.com/advisories/886                              


  High            Arbitrary File Overwrite                                      

  Package         tar                                                           

  Patched in      >=2.2.2 <3.0.0 || >=4.4.2                                     

  Dependency of   npm                                                           

  Path            npm > libcipm > npm-lifecycle > node-gyp > tar                

  More info       https://npmjs.com/advisories/803                              


  High            Arbitrary File Overwrite                                      

  Package         tar                                                           

  Patched in      >=2.2.2 <3.0.0 || >=4.4.2                                     

  Dependency of   npm                                                           

  Path            npm > libnpm > npm-lifecycle > node-gyp > tar                 

  More info       https://npmjs.com/advisories/803                              


  High            Arbitrary File Overwrite                                      

  Package         tar                                                           

  Patched in      >=2.2.2 <3.0.0 || >=4.4.2                                     

  Dependency of   npm                                                           

  Path            npm > node-gyp > tar                                          

  More info       https://npmjs.com/advisories/803                              


  High            Arbitrary File Overwrite                                      

  Package         tar                                                           

  Patched in      >=2.2.2 <3.0.0 || >=4.4.2                                     

  Dependency of   npm                                                           

  Path            npm > npm-lifecycle > node-gyp > tar                          

  More info       https://npmjs.com/advisories/803 

在31845个扫描程序包中发现了12个严重漏洞   需要手动审查12个漏洞。有关详细信息,请参见完整报告。

我想找到0个严重漏洞。

2 个答案:

答案 0 :(得分:0)

这不是与角度有关的问题。 npm报告说某些软件包存在已知的安全问题。

您可以尝试运行npm audit fix以便将依赖项升级为已知的易受攻击的依赖项(如果有),否则,您必须等待软件包维护者解决这些问题。

请记住,安全漏洞虽然非常重要,但也会报告给开发包,这些开发包可能不会出现在您的生产系统中。

如果升级依赖项或(更改它们)无法解决,则您将无法独自执行任何操作。

答案 1 :(得分:0)

打开package.json文件并搜索npm,然后从package.json文件中删除npm版本行(例如“ npm”:“ ^ 6.9.0”)

然后从项目中删除node_modules文件夹和package-lock.json文件。

然后使用命令npm install安装npm。

现在您应该看到0个漏洞。