[英]Fix vulnerabilities in NPM manually
I cloned a repository and did an npm install
but at the end some error occured.我克隆了一个存储库并进行了
npm install
但最后出现了一些错误。 Now whenever I run npm audit
I get the message现在每当我运行
npm audit
我都会收到消息
found 18 vulnerabilities (5 low, 12 moderate, 1 high) in 15548 scanned packages
9 vulnerabilities require semver-major dependency updates.
9 vulnerabilities require manual review. See the full report for details.
No matter what I do they stay the same, I tried npm update
, npm audit fix
, npm audit fix --force
and some other solutions as well but nothing worked.无论我做什么,它们都保持不变,我尝试了
npm update
、 npm audit fix
、 npm audit fix --force
和其他一些解决方案,但没有任何效果。 Here is the list of packages that are currently installed:以下是当前安装的软件包列表:
D:\NewState\opticare>npm list --depth=0
opticare@0.0.0 D:\NewState\opticare
+-- UNMET PEER DEPENDENCY @angular/animations@5.2.11
+-- @angular/cli@1.7.4
+-- UNMET PEER DEPENDENCY @angular/common@5.2.11
+-- UNMET PEER DEPENDENCY @angular/compiler@5.2.11
+-- @angular/compiler-cli@5.2.11
+-- UNMET PEER DEPENDENCY @angular/core@5.2.11
+-- UNMET PEER DEPENDENCY @angular/forms@5.2.11
+-- @angular/http@5.2.11
+-- UNMET PEER DEPENDENCY @angular/platform-browser@5.2.11
+-- UNMET PEER DEPENDENCY @angular/platform-browser-dynamic@5.2.11
+-- @angular/router@5.2.11
+-- @auth0/angular-jwt@2.1.2
+-- @ng-bootstrap/ng-bootstrap@3.3.1
+-- @swimlane/ngx-charts@7.4.0
+-- @types/datatables.net@1.10.18
+-- @types/jasmine@2.8.16
+-- @types/jquery@3.3.31
+-- @types/node@6.0.118
+-- @types/systemjs@0.20.7
+-- angular-archwizard@3.0.0
+-- angular-datatables@6.0.1
+-- angular2-csv@0.2.9
+-- angular2-spinner@1.0.10
+-- bcrypt-nodejs@0.0.3
+-- chalk@2.4.2
+-- chart.js@2.9.3
+-- codelyzer@4.5.0
+-- core-js@2.6.11
+-- cron@1.8.2
+-- datatables.net@1.10.20
+-- datatables.net-dt@1.10.20
+-- express@4.17.1
+-- file-saver@1.3.8
+-- googleapis@35.0.0
+-- http-errors@1.7.3
+-- install-peerdeps@2.0.1
+-- jasmine-core@2.8.0
+-- jasmine-spec-reporter@4.2.1
+-- jodit-angular@1.0.86
+-- jquery@3.4.1
+-- jsonwebtoken@8.5.1
+-- jwt-decode@2.2.0
+-- karma@2.0.5
+-- karma-chrome-launcher@2.2.0
+-- lodash@4.17.15
+-- moment@2.24.0
+-- moment-timezone@0.5.27
+-- mongoose@5.8.9
+-- mongoose-paginate@5.0.3
+-- multer@1.4.2
+-- ng2-nouislider@1.8.2
+-- ngx-bootstrap@2.0.5
+-- ngx-chips@1.9.8
+-- ngx-toastr@6.5.0
+-- node-cron@1.2.1
+-- node-sass@4.13.1
+-- nodemailer@4.7.0
+-- nouislider@11.1.0
+-- UNMET PEER DEPENDENCY rxjs@5.5.12
+-- shortid@2.2.15
+-- ts-helpers@1.1.2
+-- UNMET PEER DEPENDENCY tslint@^5.0.0
+-- twilio@3.39.3
+-- typescript@2.4.2
+-- xlsx@0.13.5
`-- zone.js@0.8.29
npm ERR! peer dep missing: @angular/animations@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/common@>=6.0.0, required by @auth0/angular-jwt@2.1.2
npm ERR! peer dep missing: @angular/common@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/common@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/common@^6.0.0-rc.0 || ^6.0.0, required by angular2-csv@0.2.9
npm ERR! peer dep missing: @angular/common@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/compiler@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/core@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/core@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/core@^6.0.0-rc.0 || ^6.0.0, required by angular2-csv@0.2.9
npm ERR! peer dep missing: @angular/core@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/forms@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/forms@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/platform-browser@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/platform-browser-dynamic@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: tslint@^5.0.0, required by codelyzer@4.5.0
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: typescript@~2.7.1 || >=2.8.0-dev || >=2.9.0-dev || ~3.0.0 || >=3.0.0-dev || >=3.1.0-dev || >= 3.2.0-dev || >= 3.3.0-dev, required by gulp-typescript@5.0.1
and lastly my package.json
file最后是我的
package.json
文件
{
"name": "opticare",
"version": "0.0.0",
"license": "MIT",
"angular-cli": {},
"scripts": {
"build": "ng build",
"ng": "ng",
"start": "ng serve",
"test": "ng test",
"pree2e": "webdriver-manager update --standalone false --gecko false",
"e2e": "protractor"
},
"private": true,
"dependencies": {
"@angular/animations": "^5.2.0",
"@angular/common": "^5.2.0",
"@angular/compiler": "^5.2.0",
"@angular/compiler-cli": "^5.2.0",
"@angular/core": "^5.2.0",
"@angular/forms": "^5.2.0",
"@angular/http": "^5.2.0",
"@angular/platform-browser": "^5.2.0",
"@angular/platform-browser-dynamic": "^5.2.0",
"@angular/router": "^5.2.0",
"@auth0/angular-jwt": "^2.0.0",
"@ng-bootstrap/ng-bootstrap": "^3.2.2",
"@swimlane/ngx-charts": "^7.4.0",
"angular-archwizard": "^3.0.0",
"angular-datatables": "^6.0.0",
"angular2-csv": "^0.2.5",
"angular2-spinner": "^1.0.10",
"bcrypt-nodejs": "0.0.3",
"chalk": "^2.4.1",
"chart.js": "^2.7.2",
"core-js": "^2.4.1",
"cron": "^1.3.0",
"datatables.net": "^1.10.19",
"datatables.net-dt": "^1.10.19",
"express": "^4.16.3",
"file-saver": "^1.3.8",
"googleapis": "^35.0.0",
"http-errors": "^1.6.3",
"install-peerdeps": "^2.0.1",
"jodit-angular": "^1.0.59",
"jquery": "^3.3.1",
"jsonwebtoken": "^8.1.0",
"jwt-decode": "^2.2.0",
"lodash": "^4.17.10",
"moment": "^2.22.2",
"moment-timezone": "^0.5.21",
"mongoose": "^5.2.4",
"mongoose-paginate": "^5.0.3",
"multer": "^1.3.0",
"ng2-nouislider": "^1.7.7",
"ngx-bootstrap": "^2.0.3",
"ngx-chips": "^1.9.2",
"ngx-toastr": "^6.4.0",
"node-cron": "^1.2.1",
"node-sass": "^4.9.2",
"nodemailer": "^4.6.8",
"nouislider": "^11.0.3",
"rxjs": "^5.5.12",
"shortid": "^2.2.8",
"ts-helpers": "^1.1.1",
"twilio": "^3.19.2",
"typescript": "^2.4.2",
"xlsx": "^0.13.0",
"zone.js": "^0.8.19"
},
"devDependencies": {
"@angular/cli": "^1.7.4",
"@angular/compiler-cli": "^5.2.0",
"@types/datatables.net": "^1.10.12",
"@types/jasmine": "~2.8.3",
"@types/jquery": "^3.3.4",
"@types/node": "~6.0.60",
"@types/systemjs": "^0.20.5",
"codelyzer": "^4.0.1",
"jasmine-core": "~2.8.0",
"jasmine-spec-reporter": "~4.2.1",
"karma-chrome-launcher": "~2.2.0",
"karma": "^2.0.4"
}
}
You'll have to use npm audit
and actually read the audit log.您必须使用
npm audit
并实际阅读审核日志。 In there will be advice on which versions can be installed to fix vulnerabilities.See https://docs.npmjs.com/cli/audit for more information on npm audit.将提供关于可以安装哪些版本来修复漏洞的建议。有关 npm 审计的更多信息,请参阅https://docs.npmjs.com/cli/audit 。
You can get a report of all vulnerabilities using npm audit
.您可以使用
npm audit
获取所有漏洞的报告。 In that report for each vulnerability you will also see a way to fix it.在每个漏洞的报告中,您还将看到修复它的方法。 When you use
npm audit fix
you are telling npm to execute those fixes.当您使用
npm audit fix
您是在告诉 npm 执行这些修复程序。 Npm however will not automatically install fixes that might break your project, such as major versions changes.但是,Npm 不会自动安装可能会破坏您的项目的修复程序,例如主要版本更改。 You'll have to manually execute the
npm install
commands for those if you decide the vulnerability is more important than having to deal with the possible breaking change.如果您认为漏洞比必须处理可能的重大更改更重要,则必须为这些人手动执行
npm install
命令。
Note: Since writing, npm audit fix --force
was introduced which will even execute patches that might introduce breaking changes.注意:自编写以来,引入了
npm audit fix --force
,它甚至会执行可能引入破坏性更改的补丁。 Use at your own risk, I've used it and it ended badly, very badly.使用风险自负,我用过它,结果很糟糕,非常糟糕。
Another common warning are peer dependency warnings.另一个常见的警告是对等依赖警告。 Peer dependencies specify not dependency, but compatibility.
对等依赖指定的不是依赖,而是兼容性。 Check out this post for a way better explanation on peer dependencies: https://stackoverflow.com/a/34645112/1016004
查看这篇文章,以更好地解释对等依赖项: https : //stackoverflow.com/a/34645112/1016004
You can see a peer dependency warning for 2 reasons: the specified peer dependency is missing, or the peer dependency is of the wrong version.您可以看到对等依赖警告有两个原因:指定的对等依赖丢失,或者对等依赖的版本错误。 In both cases you will have to figure out the correct response yourself.
在这两种情况下,您都必须自己找出正确的答案。 The core question to answer is whether you can install the dependency in your project:
要回答的核心问题是您是否可以在项目中安装依赖项:
The simple solution, not recommended for production, is to just manually try to run npm install
for both the vulnerabilities and peer dependencies with the proposed versions.不推荐用于生产的简单解决方案是手动尝试使用建议版本为漏洞和对等依赖项运行
npm install
。 Be sure to have version control or backups so that you can revert if you end up with more errors than you started with.确保有版本控制或备份,以便在最终出现比开始时更多的错误时可以恢复。
If the simple solution doesn't cut it you'll have to look for other versions of packages that are part of the unsolvable constraints.如果简单的解决方案没有解决它,您将不得不寻找属于无法解决的约束的其他版本的包。 Maybe previous versions of any of those packages can work together?
也许任何这些软件包的以前版本都可以一起工作?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.