堆栈内存溢出
  简体   繁体   English

npm审计任意文件覆盖

[英]npm audit Arbitrary File Overwrite

 原文  2019-04-11 14:48:07       node.js/ npm/ sass/ tar/ node-gyp

问题描述

I recently updated my version of angular using ng update and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. 我最近使用ng update更新了我的角度版本,并且在运行npm audit时发现了1个高严重性漏洞,但未提供有关如何解决它的建议。 It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version. 它通常建议从package.json升级包,如:“angular-devkit / build-angular”,但我已经在使用他们的最新版本。 

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance           


High            Arbitrary File Overwrite                                      

Package         tar                                                           

Patched in      >=4.4.2                                                       

Dependency of   @angular-devkit/build-angular [dev]                           

Path            @angular-devkit/build-angular > node-sass > node-gyp > tar    

More info       https://npmjs.com/advisories/803                              

found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.

I thought of installing npm i tar but I am not sure. 我想安装npm i tar但是我不确定。

3 个解决方案

解决方案1
 6  2019-04-11 16:54:10

angular-cli relies on node-gyp , who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714 angular-cli依赖于node-gyp ,他有一个未解决的问题: https//github.com/nodejs/node-gyp/issues/1714

To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. 要解决此问题,您可以修补node-gyp,然后修补angular以使用修补的节点-gyp。 Or wait and hope that they will fix it soon. 或者等一下,希望他们能尽快解决。

解决方案2
 5 已采纳  2019-04-24 08:57:09

The following worked for me: 以下对我有用:

Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8. 转到node_modules> node_gyp> package.json,然后在依赖项下找到tar并用4.4.8替换2.0.0。

Then run: 然后运行:

  1. npm i 我是谁
  2. npm audit npm审计
  3. npm audit fix npm审核修复
  4. npm audit npm审计

you should see 0 vulnerabilities. 你应该看到0个漏洞。

I've updated a few angular projects and each project had the same issue. 我已经更新了一些角度项目,每个项目都有同样的问题。 Doing the above worked all the time. 上述操作始终有效。

解决方案3
 0  2019-04-12 10:25:18

You should search in your package-lock.json this: 你应该在你的package-lock.json中搜索: 

"tar": {
  "version": "2.2.1",
  "resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",

And reemplace for that: 并重新插入: 

"tar": {
  "version": "4.4.8",
  "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",

That worked for me 这对我有用

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将 NPM 审计生成为 Json 文件 - Generate NPM Audit into a Json file npm 审计与纱线审计 - npm audit versus yarn audit npm 审计 EINVALIDTAGNAME - npm audit EINVALIDTAGNAME 如何利用npm审计? - How to leverage npm audit? NPM 审计警告 - NPM audit warnings NPM审计修复 - NPM Audit fixes NPM 审计漏洞 - NPM audit vulnerabilities npm 审计修复没有改变任何东西 - npm audit fix not changing anything npm 审计卡在 ENOAUDIT 上 - npm audit gets stuck on ENOAUDIT 如何解决 NPM 审计漏洞? - How to resolve NPM audit vulnerabilities?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM