手动修复 NPM 中的漏洞

Question

I cloned a repository and did an npm install but at the end some error occured. Now whenever I run npm audit I get the message

found 18 vulnerabilities (5 low, 12 moderate, 1 high) in 15548 scanned packages
  9 vulnerabilities require semver-major dependency updates.
  9 vulnerabilities require manual review. See the full report for details.

No matter what I do they stay the same, I tried npm update , npm audit fix , npm audit fix --force and some other solutions as well but nothing worked. Here is the list of packages that are currently installed:

D:\NewState\opticare>npm list --depth=0
opticare@0.0.0 D:\NewState\opticare
+-- UNMET PEER DEPENDENCY @angular/animations@5.2.11
+-- @angular/cli@1.7.4
+-- UNMET PEER DEPENDENCY @angular/common@5.2.11
+-- UNMET PEER DEPENDENCY @angular/compiler@5.2.11
+-- @angular/compiler-cli@5.2.11
+-- UNMET PEER DEPENDENCY @angular/core@5.2.11
+-- UNMET PEER DEPENDENCY @angular/forms@5.2.11
+-- @angular/http@5.2.11
+-- UNMET PEER DEPENDENCY @angular/platform-browser@5.2.11
+-- UNMET PEER DEPENDENCY @angular/platform-browser-dynamic@5.2.11
+-- @angular/router@5.2.11
+-- @auth0/angular-jwt@2.1.2
+-- @ng-bootstrap/ng-bootstrap@3.3.1
+-- @swimlane/ngx-charts@7.4.0
+-- @types/datatables.net@1.10.18
+-- @types/jasmine@2.8.16
+-- @types/jquery@3.3.31
+-- @types/node@6.0.118
+-- @types/systemjs@0.20.7
+-- angular-archwizard@3.0.0
+-- angular-datatables@6.0.1
+-- angular2-csv@0.2.9
+-- angular2-spinner@1.0.10
+-- bcrypt-nodejs@0.0.3
+-- chalk@2.4.2
+-- chart.js@2.9.3
+-- codelyzer@4.5.0
+-- core-js@2.6.11
+-- cron@1.8.2
+-- datatables.net@1.10.20
+-- datatables.net-dt@1.10.20
+-- express@4.17.1
+-- file-saver@1.3.8
+-- googleapis@35.0.0
+-- http-errors@1.7.3
+-- install-peerdeps@2.0.1
+-- jasmine-core@2.8.0
+-- jasmine-spec-reporter@4.2.1
+-- jodit-angular@1.0.86
+-- jquery@3.4.1
+-- jsonwebtoken@8.5.1
+-- jwt-decode@2.2.0
+-- karma@2.0.5
+-- karma-chrome-launcher@2.2.0
+-- lodash@4.17.15
+-- moment@2.24.0
+-- moment-timezone@0.5.27
+-- mongoose@5.8.9
+-- mongoose-paginate@5.0.3
+-- multer@1.4.2
+-- ng2-nouislider@1.8.2
+-- ngx-bootstrap@2.0.5
+-- ngx-chips@1.9.8
+-- ngx-toastr@6.5.0
+-- node-cron@1.2.1
+-- node-sass@4.13.1
+-- nodemailer@4.7.0
+-- nouislider@11.1.0
+-- UNMET PEER DEPENDENCY rxjs@5.5.12
+-- shortid@2.2.15
+-- ts-helpers@1.1.2
+-- UNMET PEER DEPENDENCY tslint@^5.0.0
+-- twilio@3.39.3
+-- typescript@2.4.2
+-- xlsx@0.13.5
`-- zone.js@0.8.29

npm ERR! peer dep missing: @angular/animations@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/common@>=6.0.0, required by @auth0/angular-jwt@2.1.2
npm ERR! peer dep missing: @angular/common@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/common@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/common@^6.0.0-rc.0 || ^6.0.0, required by angular2-csv@0.2.9
npm ERR! peer dep missing: @angular/common@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/compiler@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/core@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/core@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/core@^6.0.0-rc.0 || ^6.0.0, required by angular2-csv@0.2.9
npm ERR! peer dep missing: @angular/core@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/forms@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/forms@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/platform-browser@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/platform-browser-dynamic@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: tslint@^5.0.0, required by codelyzer@4.5.0
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: typescript@~2.7.1 || >=2.8.0-dev || >=2.9.0-dev || ~3.0.0 || >=3.0.0-dev || >=3.1.0-dev || >= 3.2.0-dev || >= 3.3.0-dev, required by gulp-typescript@5.0.1

and lastly my package.json file

{
  "name": "opticare",
  "version": "0.0.0",
  "license": "MIT",
  "angular-cli": {},
  "scripts": {
    "build": "ng build",
    "ng": "ng",
    "start": "ng serve",
    "test": "ng test",
    "pree2e": "webdriver-manager update --standalone false --gecko false",
    "e2e": "protractor"
  },
  "private": true,
  "dependencies": {
    "@angular/animations": "^5.2.0",
    "@angular/common": "^5.2.0",
    "@angular/compiler": "^5.2.0",
    "@angular/compiler-cli": "^5.2.0",
    "@angular/core": "^5.2.0",
    "@angular/forms": "^5.2.0",
    "@angular/http": "^5.2.0",
    "@angular/platform-browser": "^5.2.0",
    "@angular/platform-browser-dynamic": "^5.2.0",
    "@angular/router": "^5.2.0",
    "@auth0/angular-jwt": "^2.0.0",
    "@ng-bootstrap/ng-bootstrap": "^3.2.2",
    "@swimlane/ngx-charts": "^7.4.0",
    "angular-archwizard": "^3.0.0",
    "angular-datatables": "^6.0.0",
    "angular2-csv": "^0.2.5",
    "angular2-spinner": "^1.0.10",
    "bcrypt-nodejs": "0.0.3",
    "chalk": "^2.4.1",
    "chart.js": "^2.7.2",
    "core-js": "^2.4.1",
    "cron": "^1.3.0",
    "datatables.net": "^1.10.19",
    "datatables.net-dt": "^1.10.19",
    "express": "^4.16.3",
    "file-saver": "^1.3.8",
    "googleapis": "^35.0.0",
    "http-errors": "^1.6.3",
    "install-peerdeps": "^2.0.1",
    "jodit-angular": "^1.0.59",
    "jquery": "^3.3.1",
    "jsonwebtoken": "^8.1.0",
    "jwt-decode": "^2.2.0",
    "lodash": "^4.17.10",
    "moment": "^2.22.2",
    "moment-timezone": "^0.5.21",
    "mongoose": "^5.2.4",
    "mongoose-paginate": "^5.0.3",
    "multer": "^1.3.0",
    "ng2-nouislider": "^1.7.7",
    "ngx-bootstrap": "^2.0.3",
    "ngx-chips": "^1.9.2",
    "ngx-toastr": "^6.4.0",
    "node-cron": "^1.2.1",
    "node-sass": "^4.9.2",
    "nodemailer": "^4.6.8",
    "nouislider": "^11.0.3",
    "rxjs": "^5.5.12",
    "shortid": "^2.2.8",
    "ts-helpers": "^1.1.1",
    "twilio": "^3.19.2",
    "typescript": "^2.4.2",
    "xlsx": "^0.13.0",
    "zone.js": "^0.8.19"
  },
  "devDependencies": {
    "@angular/cli": "^1.7.4",
    "@angular/compiler-cli": "^5.2.0",
    "@types/datatables.net": "^1.10.12",
    "@types/jasmine": "~2.8.3",
    "@types/jquery": "^3.3.4",
    "@types/node": "~6.0.60",
    "@types/systemjs": "^0.20.5",
    "codelyzer": "^4.0.1",
    "jasmine-core": "~2.8.0",
    "jasmine-spec-reporter": "~4.2.1",
    "karma-chrome-launcher": "~2.2.0",
    "karma": "^2.0.4"
  }
}

Answer 1

You'll have to use npm audit and actually read the audit log. In there will be advice on which versions can be installed to fix vulnerabilities.See https://docs.npmjs.com/cli/audit for more information on npm audit.

Vulnerabilities

You can get a report of all vulnerabilities using npm audit . In that report for each vulnerability you will also see a way to fix it. When you use npm audit fix you are telling npm to execute those fixes. Npm however will not automatically install fixes that might break your project, such as major versions changes. You'll have to manually execute the npm install commands for those if you decide the vulnerability is more important than having to deal with the possible breaking change.

Note: Since writing, npm audit fix --force was introduced which will even execute patches that might introduce breaking changes. Use at your own risk, I've used it and it ended badly, very badly.

Peer dependencies

Another common warning are peer dependency warnings. Peer dependencies specify not dependency, but compatibility. Check out this post for a way better explanation on peer dependencies: https://stackoverflow.com/a/34645112/1016004

You can see a peer dependency warning for 2 reasons: the specified peer dependency is missing, or the peer dependency is of the wrong version. In both cases you will have to figure out the correct response yourself. The core question to answer is whether you can install the dependency in your project:

• Do you use any deprecated features that will be removed in an update, do any breaking changes apply to your code, ...?
• Do you have to revert to a version with a known vulnerability that you use in such a way that it might endanger user data, ... ?

The simple solution, not recommended for production, is to just manually try to run npm install for both the vulnerabilities and peer dependencies with the proposed versions. Be sure to have version control or backups so that you can revert if you end up with more errors than you started with.

If the simple solution doesn't cut it you'll have to look for other versions of packages that are part of the unsolvable constraints. Maybe previous versions of any of those packages can work together?