堆栈内存溢出
  简体   繁体   English

做`yarn / npm publish`时会忽略`nsp check`吗?

[英]Ignore `nsp check` when doing `yarn/npm publish`?

 原文  2018-07-17 15:09:24       javascript/ npm/ yarnpkg

问题描述

I'm trying to publish a javascript package to an internal repository. 我正在尝试将javascript程序包发布到内部存储库。 When I do yarn publish (or npm publish ) it now runs nsp check (otherwise wonderful feature!) to look for known vulnerabilities in any of the dependencies in my project. 现在,当我执行yarn publish (或npm publish )时,它会运行nsp check (否则是个很棒的功能!)来查找项目中任何依赖项中的已知漏洞。 It finds one and exits in error: 它找到一个并错误退出: 

[3/4] Publishing...
$ nsp check
(+) 1 vulnerability found
...
│ More Info  │ https://nodesecurity.io/advisories/nnn                 |
...
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/publish for documentation about this command.

I'd like to ignore this vulnerability and proceed with the publish anyway. 我想忽略此漏洞并继续进行发布。 How can I do that? 我怎样才能做到这一点?

I understand that introducing a way to ignore a vulnerability may be misused, but in this instance the package I'm publishing is an internal tool. 我知道引入一种忽略漏洞的方法可能会被滥用,但是在这种情况下,我发布的软件包是一个内部工具。 I've looked at the dependency's vulnerability and in no way could it be taken advantage of in the context in which I'm using it. 我已经研究了依赖项的漏洞,在我使用它的上下文中,绝不能利用它。

Sidenote: The vulnerability is nested 3 layers deep in a pretty commonly used package ( request@2.87.0 ). 旁注:该漏洞在一个非常常用的包( request@2.87.0 )中嵌套了三层。 The vulnerability itself has been fixed in its own latest version, but because this dependency is three layers deep we have to wait for each subsequent dependent to upgrade. 该漏洞本身已在其最新版本中得到修复,但是由于此依赖关系深达三层,因此我们必须等待每个后续依赖关系升级。 I suspect it will take some time- there's been a ticket open in their Github for 3 months- and I don't want to wait on that. 我怀疑这会花一些时间-他们的Github中有一张门票开放了3个月-我不想等待。

1 个解决方案

解决方案1
 0  2018-07-17 15:20:56

I've found the answer to this: 我找到了答案:

Add a file called .nsprc at the top of your project. 在项目顶部添加一个名为.nsprc的文件。 In the file add: 在文件中添加: 

{
    "exceptions": ["https://nodesecurity.io/advisories/nnn"]
}

The URL should match the URL of the vulnerability presented in the nsp check command. 该URL应与nsp check命令中显示的漏洞的URL相匹配。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 npm发布卡住(使用纱线) - npm publish stuck (using yarn) 执行 npm 发布时,github 托管包失败 - github hosted package fails when doing npm publish 何时在 NPM 上使用 Yarn? 有什么区别? - When to use Yarn over NPM? What are the differences? 有没有办法检查 npm package 是否需要发布,然后只发布? - Is there a way to check if an npm package needs a publish and only do a publish then? 呃! 尝试将包发布到 npm 时出现 403 - ERR! 403 when trying to publish a package to npm 如何防止 Travis-CI 生成 yarn.lock 或如何忽略 Lerna 发布以忽略工作树中未提交的更改 - How to prevent Travis-CI generate yarn.lock OR how to ignore Lerna publish to ignore uncommited changes in working tree 运行 npm 脚本时如何在标准输出中禁用纱线错误日志 - how to disable yarn error logs in stdout when running npm scripts npm 错误! cb() 从未调用过! 在进行 npm install 时 - npm ERR! cb() never called! when doing npm install 纱线是否是npm的包装? - Is Yarn a wrapper over npm? NPM 和纱线锁文件 - NPM and Yarn lock files
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM