npm审核结果的说明

Question

只需就我应该如何处理npm audit报告的安全漏洞寻求建议。从我可以看到，报告的每一个问题都表明该问题是由特定版本修补的，当我查看node_modules文件夹时，我看到的版本不应该包含该问题。

有人可以向我解释在尝试诊断和解决此报告产生的问题时应该遵循的流程吗？

                                Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        ReDoS via long string of semicolons

  Package         tough-cookie

  Patched in      >=2.3.0

  Dependency of   pouchdb-load

  Path            pouchdb-load > pouchdb-ajax > request > tough-cookie

  More info       https://nodesecurity.io/advisories/130


  High            Regular Expression Denial of Service

  Package         tough-cookie

  Patched in      >=2.3.3

  Dependency of   pouchdb-load

  Path            pouchdb-load > pouchdb-ajax > request > tough-cookie

  More info       https://nodesecurity.io/advisories/525


  Low             Regular Expression Denial of Service

  Package         debug

  Patched in      >= 2.6.9 < 3.0.0 || >= 3.1.0

  Dependency of   pouchdb-load

  Path            pouchdb-load > pouchdb-ajax > pouchdb-utils > debug

  More info       https://nodesecurity.io/advisories/534


  Low             Regular Expression Denial of Service

  Package         debug

  Patched in      >= 2.6.9 < 3.0.0 || >= 3.1.0

  Dependency of   pouchdb-load

  Path            pouchdb-load > pouchdb-checkpointer > pouchdb-utils > debug

  More info       https://nodesecurity.io/advisories/534


  Low             Regular Expression Denial of Service

  Package         debug

  Patched in      >= 2.6.9 < 3.0.0 || >= 3.1.0

  Dependency of   pouchdb-load

  Path            pouchdb-load > pouchdb-generate-replication-id > pouchdb-md5
                  > pouchdb-utils > debug

  More info       https://nodesecurity.io/advisories/534


  Moderate        Prototype Pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   pouchdb-load

  Path            pouchdb-load > pouchdb-ajax > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype Pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   pouchdb-load

  Path            pouchdb-load > pouchdb-ajax > request > hawk > cryptiles >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype Pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   pouchdb-load

  Path            pouchdb-load > pouchdb-ajax > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype Pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   pouchdb-load

  Path            pouchdb-load > pouchdb-ajax > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Memory Exposure

  Package         tunnel-agent

  Patched in      >=0.6.0

  Dependency of   pouchdb-load

  Path            pouchdb-load > pouchdb-ajax > request > tunnel-agent

  More info       https://nodesecurity.io/advisories/598


  High            Prototype Pollution

  Package         lodash

  Patched in      >=4.17.11

  Dependency of   lodash-cli [dev]

  Path            lodash-cli > lodash

  More info       https://nodesecurity.io/advisories/782


  High            Prototype Pollution

  Package         lodash

  Patched in      >=4.17.12

  Dependency of   lodash-cli [dev]

  Path            lodash-cli > lodash

  More info       https://nodesecurity.io/advisories/1065

found 13 vulnerabilities (3 low, 7 moderate, 3 high) in 7172 scanned packages
  run `npm audit fix` to fix 1 of them.
  12 vulnerabilities require manual review. See the full report for details.