我安装了npm,它有7个必须手动修复的漏洞

时间:2020-07-04 05:03:10

标签: javascript node.js npm 

  Low             Prototype Pollution

  Package         minimist

  Patched in      >=0.2.1 =1.2.3

  Dependency of   lite-server [dev]

  Path            lite-server > minimist

  More info       https://npmjs.com/advisories/1179


  High            Denial of Service

  Package         http-proxy

  Patched in      >=1.18.1

  Dependency of   lite-server [dev]

  Path            lite-server > browser-sync > http-proxy

  More info       https://npmjs.com/advisories/1486


  Low             Prototype Pollution

  Package         yargs-parser

  Patched in      >=13.1.2 =15.0.1 =18.1.2

  Dependency of   lite-server [dev]

  Path            lite-server > browser-sync > localtunnel > yargs >
                  yargs-parser

  More info       https://npmjs.com/advisories/1500


  Low             Prototype Pollution

  Package         yargs-parser

  Patched in      >=13.1.2 =15.0.1 =18.1.2

  Dependency of   lite-server [dev]

  Path            lite-server > browser-sync > yargs > yargs-parser

  More info       https://npmjs.com/advisories/1500


  Low             Prototype Pollution

  Package         lodash

  Patched in      No patch available

  Dependency of   http-proxy-middleware [dev]

  Path            http-proxy-middleware > lodash

  More info       https://npmjs.com/advisories/1523


  Low             Prototype Pollution

  Package         lodash

  Patched in      No patch available

  Dependency of   lite-server [dev]

  Path            lite-server > browser-sync > easy-extender > lodash

  More info       https://npmjs.com/advisories/1523


  Low             Prototype Pollution

  Package         lodash

  Patched in      No patch available

  Dependency of   lite-server [dev]

  Path            lite-server > lodash

  More info       https://npmjs.com/advisories/1523

found 7 vulnerabilities (6 low, 1 high) in 354 scanned packages
  7 vulnerabilities require manual review. See the full report for details.

我尝试手动更新每个软件包的版本并对其进行修补,但仍然显示漏洞。 请任何人就如何解决这个问题向我提出建议。

3 个答案:

答案 0 :(得分:1)

如果您完全确定自己已解决所有要跳过审核的漏洞,则可以通过添加--no-audit来实现。

npm install --no-audit

或npm会为您解决

npm audit fix

但这将更新模块的版本。这可能会导致代码破坏。

答案 1 :(得分:1)

如果npm audit fix无法解决问题,则意味着还没有解决这些问题的依存关系图组合。

这可能意味着您的一个依赖项具有脆弱的子依赖项,但尚未升级其依赖项。

您可能最能做的就是打开这些套票的票证,例如lite-server

也许还应该找出实际的漏洞是什么。我通过npm audit看到的漏洞通常最终并没有真​​正影响到我。

答案 2 :(得分:1)

lodash原型污染问题已固定为https://github.com/lodash/lodash/pull/4759/。您应该等待下一个lodash版本。另外,babel计划摆脱lodash(https://github.com/babel/babel/issues/11726)。

另一个问题是依赖于lite-server的,已在上报告 https://github.com/johnpapa/lite-server/issues/176。但是,lite-server目前未维护。也许,您可以手动编辑package-lock.json并解决它。

相关问题
最新问题