手动修复NPM中的漏洞

时间:2020-01-26 21:35:07

标签: javascript node.js angular npm

我克隆了一个存储库并做了一个pipeline,但是最后出现了一些错误。 现在,每当我运行{ $in: ['$_id', "$$actor.actors"] }时,我都会收到消息

npm install

无论我做什么,他们都保持不变,我也尝试了npm auditfound 18 vulnerabilities (5 low, 12 moderate, 1 high) in 15548 scanned packages 9 vulnerabilities require semver-major dependency updates. 9 vulnerabilities require manual review. See the full report for details. ,npm npm update和其他一些解决方案,但是没有任何效果。 以下是当前安装的软件包列表:

npm audit fix

最后是我的audit fix --force文件

D:\NewState\opticare>npm list --depth=0
opticare@0.0.0 D:\NewState\opticare
+-- UNMET PEER DEPENDENCY @angular/animations@5.2.11
+-- @angular/cli@1.7.4
+-- UNMET PEER DEPENDENCY @angular/common@5.2.11
+-- UNMET PEER DEPENDENCY @angular/compiler@5.2.11
+-- @angular/compiler-cli@5.2.11
+-- UNMET PEER DEPENDENCY @angular/core@5.2.11
+-- UNMET PEER DEPENDENCY @angular/forms@5.2.11
+-- @angular/http@5.2.11
+-- UNMET PEER DEPENDENCY @angular/platform-browser@5.2.11
+-- UNMET PEER DEPENDENCY @angular/platform-browser-dynamic@5.2.11
+-- @angular/router@5.2.11
+-- @auth0/angular-jwt@2.1.2
+-- @ng-bootstrap/ng-bootstrap@3.3.1
+-- @swimlane/ngx-charts@7.4.0
+-- @types/datatables.net@1.10.18
+-- @types/jasmine@2.8.16
+-- @types/jquery@3.3.31
+-- @types/node@6.0.118
+-- @types/systemjs@0.20.7
+-- angular-archwizard@3.0.0
+-- angular-datatables@6.0.1
+-- angular2-csv@0.2.9
+-- angular2-spinner@1.0.10
+-- bcrypt-nodejs@0.0.3
+-- chalk@2.4.2
+-- chart.js@2.9.3
+-- codelyzer@4.5.0
+-- core-js@2.6.11
+-- cron@1.8.2
+-- datatables.net@1.10.20
+-- datatables.net-dt@1.10.20
+-- express@4.17.1
+-- file-saver@1.3.8
+-- googleapis@35.0.0
+-- http-errors@1.7.3
+-- install-peerdeps@2.0.1
+-- jasmine-core@2.8.0
+-- jasmine-spec-reporter@4.2.1
+-- jodit-angular@1.0.86
+-- jquery@3.4.1
+-- jsonwebtoken@8.5.1
+-- jwt-decode@2.2.0
+-- karma@2.0.5
+-- karma-chrome-launcher@2.2.0
+-- lodash@4.17.15
+-- moment@2.24.0
+-- moment-timezone@0.5.27
+-- mongoose@5.8.9
+-- mongoose-paginate@5.0.3
+-- multer@1.4.2
+-- ng2-nouislider@1.8.2
+-- ngx-bootstrap@2.0.5
+-- ngx-chips@1.9.8
+-- ngx-toastr@6.5.0
+-- node-cron@1.2.1
+-- node-sass@4.13.1
+-- nodemailer@4.7.0
+-- nouislider@11.1.0
+-- UNMET PEER DEPENDENCY rxjs@5.5.12
+-- shortid@2.2.15
+-- ts-helpers@1.1.2
+-- UNMET PEER DEPENDENCY tslint@^5.0.0
+-- twilio@3.39.3
+-- typescript@2.4.2
+-- xlsx@0.13.5
`-- zone.js@0.8.29

npm ERR! peer dep missing: @angular/animations@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/common@>=6.0.0, required by @auth0/angular-jwt@2.1.2
npm ERR! peer dep missing: @angular/common@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/common@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/common@^6.0.0-rc.0 || ^6.0.0, required by angular2-csv@0.2.9
npm ERR! peer dep missing: @angular/common@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/compiler@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/core@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/core@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/core@^6.0.0-rc.0 || ^6.0.0, required by angular2-csv@0.2.9
npm ERR! peer dep missing: @angular/core@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/forms@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/forms@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/platform-browser@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/platform-browser-dynamic@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: tslint@^5.0.0, required by codelyzer@4.5.0
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: typescript@~2.7.1 || >=2.8.0-dev || >=2.9.0-dev || ~3.0.0 || >=3.0.0-dev || >=3.1.0-dev || >= 3.2.0-dev || >= 3.3.0-dev, required by gulp-typescript@5.0.1

1 个答案:

答案 0 :(得分:5)

您必须使用npm audit并实际阅读审核日志。其中将提供有关可以安装哪些版本的漏洞的建议。有关npm审核的更多信息,请参见https://docs.npmjs.com/cli/audit

漏洞

您可以使用npm audit获得所有漏洞的报告。在该报告中,您还可以看到针对每个漏洞的修复方法。使用npm audit fix时,是在告诉npm执行这些修复程序。但是,Npm不会自动安装可能会破坏您的项目的修复程序,例如主要版本更改。如果您认为该漏洞比必须应对可能的重大更改更为重要,则必须手动执行npm install命令。

对等依赖性

另一个常见的警告是对等相关性警告。对等依赖关系不是指定依赖关系,而是指定兼容性。 请查看这篇文章,以更好地解释对等方的依赖性:https://stackoverflow.com/a/34645112/1016004

您可能会看到对等方依赖性警告,其原因有两个:缺少指定的对等方依赖性,或者对等方依赖性版本错误。在这两种情况下,您都必须自己找出正确的答案。要回答的核心问题是您是否可以在项目中安装依赖项:

  • 您是否使用了将在更新中删除的所有不推荐使用的功能,是否有任何重大更改适用于您的代码……?
  • 您是否必须还原到具有已知漏洞的版本,以可能危及用户数据的方式使用该漏洞,...?

不建议在生产环境中使用的简单解决方案是手动尝试针对拟议版本的漏洞和同级依赖项运行npm install。确保具有版本控制或备份,以便在遇到比开始时更多的错误时可以还原。

如果简单的解决方案不能解决问题,那么您将不得不寻找无法解决的约束的其他版本的软件包。也许其中任何一个软件包的先前版本都可以一起工作?

相关问题
最新问题