[英]npm audit Arbitrary File Overwrite
I recently updated my version of angular using ng update
and when running npm audit
it found 1 high severity vulnerability but offered no suggestions on how to resolve it. 我最近使用
ng update
更新了我的角度版本,并且在运行npm audit
时发现了1个高严重性漏洞,但未提供有关如何解决它的建议。 It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version. 它通常建议从package.json升级包,如:“angular-devkit / build-angular”,但我已经在使用他们的最新版本。
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
I thought of installing npm i tar
but I am not sure. 我想安装
npm i tar
但是我不确定。
angular-cli
relies on node-gyp
, who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714 angular-cli
依赖于node-gyp
,他有一个未解决的问题: https : //github.com/nodejs/node-gyp/issues/1714
To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. 要解决此问题,您可以修补node-gyp,然后修补angular以使用修补的节点-gyp。 Or wait and hope that they will fix it soon.
或者等一下,希望他们能尽快解决。
The following worked for me: 以下对我有用:
Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8. 转到node_modules> node_gyp> package.json,然后在依赖项下找到tar并用4.4.8替换2.0.0。
Then run: 然后运行:
you should see 0 vulnerabilities. 你应该看到0个漏洞。
I've updated a few angular projects and each project had the same issue. 我已经更新了一些角度项目,每个项目都有同样的问题。 Doing the above worked all the time.
上述操作始终有效。
You should search in your package-lock.json this: 你应该在你的package-lock.json中搜索:
"tar": {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
And reemplace for that: 并重新插入:
"tar": {
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
That worked for me 这对我有用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.