[英]npm audit versus yarn audit
I have a React Native project (0.61.4) that uses yarn
as its package manager.我有一个使用
yarn
作为其 package 管理器的 React Native 项目(0.61.4)。
When I run yarn audit
a huge number of vulnerabilities are reported:当我运行
yarn audit
时,会报告大量漏洞:
18202 vulnerabilities found - Packages audited: 958823
Severity: 18202 High
✨ Done in 14.34s.
Most are in some very deep dependency paths.大多数都在一些非常深的依赖路径中。 For instance:
例如:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-native > @react-native-community/cli > │
│ │ metro-react-native-babel-transformer > @babel/core > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1065 │
└───────────────┴──────────────────────────────────────────────────────────────┘
When I run npm audit
, it first reports:当我运行
npm audit
时,它首先报告:
Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
So I run:所以我跑:
npm i --package-lock-only
A package-lock.json
file is generated.生成一个
package-lock.json
文件。 On inspection this file seems correct.经检查,该文件似乎是正确的。
When I now run npm audit
, the results are:当我现在运行
npm audit
时,结果是:
=== npm audit security report ===
found 0 vulnerabilities
I don't understand the discrepancy between these two package managers.我不明白这两个 package 管理器之间的差异。 Why does
npm
report 0 errors, and yarn
18.202?为什么
npm
报0错误, yarn
18.202?
It's very hard to estimate why is this happening without looking at both the lock files and comparing.如果不查看锁定文件并进行比较,很难估计为什么会发生这种情况。 But, as far as I can tell, it can happen only if both the lock files are resolving to different versions of same dependencies.
但是,据我所知,只有当两个锁定文件都解析为相同依赖项的不同版本时,才会发生这种情况。
Your yarn.lock
file was generated earlier, thus it contains vulnerable and old versions of dependencies and since the package-lock.json
was generated afterwards, it would have resolved to latest/fixed versions of those dependencies.您的
yarn.lock
文件是较早生成的,因此它包含易受攻击的旧版本的依赖项,并且由于package-lock.json
是之后生成的,因此它会解析为这些依赖项的最新/固定版本。
Remember that npm i --package-lock-only
would just create the package-lock.json file, not install anything, but it won't be at-par with the actual installed packages.请记住
npm i --package-lock-only
只会创建 package-lock.json 文件,不安装任何东西,但它不会与实际安装的软件包相提并论。 I think you assumed that running that command would just derive the lock file from installed packages, but it actually generates the lock file as if you ran it without the flag.我认为您假设运行该命令只会从已安装的软件包中派生锁定文件,但它实际上会生成锁定文件,就好像您在没有标志的情况下运行它一样。
So in conclusion, both the lock files are resolving to different (minor/patch)versions of same dependencies.因此,总而言之,两个锁定文件都解析为相同依赖项的不同(次要/补丁)版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.