在角度8中,当我安装了npm时,发现了12个严重性高的漏洞。
版本:-
Angular CLI: 8.0.3
Node: 10.16.0
OS: linux x64
Angular: 8.0.1
... animations, cdk, common, compiler, compiler-cli, core, forms
... language-service, material, platform-browser
... platform-browser-dynamic, platform-server, router
Package Version
-----------------------------------------------------------
@angular-devkit/architect 0.800.3
@angular-devkit/build-angular 0.800.3
@angular-devkit/build-optimizer 0.800.3
@angular-devkit/build-webpack 0.800.3
@angular-devkit/core 8.0.3
@angular-devkit/schematics 8.0.3
@angular/cli 8.0.3
@angular/fire 5.2.1
@angular/flex-layout 8.0.0-beta.26
@angular/http 7.2.15
@ngtools/webpack 8.0.3
@schematics/angular 8.0.3
@schematics/update 0.800.3
rxjs 6.5.2
typescript 3.4.5
webpack 4.30.0
当我运行命令npm audit然后显示
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libcipm > npm-lifecycle > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libcipm > npm-lifecycle > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libnpm > npm-lifecycle > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libnpm > npm-lifecycle > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > npm-lifecycle > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > npm-lifecycle > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > libcipm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > libnpm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
在31845个扫描程序包中发现了12个严重漏洞 需要手动审查12个漏洞。有关详细信息,请参见完整报告。
我想找到0个严重漏洞。
答案 0 :(得分:0)
这不是与角度有关的问题。 npm报告说某些软件包存在已知的安全问题。
您可以尝试运行npm audit fix以便将依赖项升级为已知的易受攻击的依赖项(如果有),否则,您必须等待软件包维护者解决这些问题。
请记住,安全漏洞虽然非常重要,但也会报告给开发包,这些开发包可能不会出现在您的生产系统中。
如果升级依赖项或(更改它们)无法解决,则您将无法独自执行任何操作。
答案 1 :(得分:0)
打开package.json文件并搜索npm,然后从package.json文件中删除npm版本行(例如“ npm”:“ ^ 6.9.0”)
然后从项目中删除node_modules文件夹和package-lock.json文件。
然后使用命令npm install安装npm。
现在您应该看到0个漏洞。