如何修复 vue-cli-service 漏洞?
[英]how to fix vue-cli-service vulnerability?
问题描述
I just tried creating a new project with @vue/cli 4.3.1 , fresh install of Ubuntu 19.10, npm 6.14.4 .
我刚刚尝试使用@vue/cli 4.3.1创建一个新项目,全新安装 Ubuntu 19.10, npm 6.14.4 。 When I cd into the project and run npm install , I get the following:当我cd进入项目并运行npm install时,我得到以下信息:
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Running npm audit fix produces运行npm audit fix产生
fixed 0 of 1 vulnerability in 1285 scanned packages
1 vulnerability required manual review and could not be updated
Upon running npm audit , I get运行npm audit后,我得到
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @vue/cli-service > webpack-dev-server > │
│ │ http-proxy-middleware > http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1486 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Is this expected?这是预期的吗? Normal?普通的? Possible to fix?可以修复吗? It worries me that this happens with such a clean environment where nothing malicious was installed, but then I'm also not an npm expert... What should I do here?我担心这种情况发生在没有安装任何恶意软件的干净环境中,但我也不是 npm 专家......我应该在这里做什么?
3 个解决方案
解决方案1
8 已采纳 2020-05-26 18:10:16
I was setting up a new Vue project and got the same issue.我正在建立一个新的 Vue 项目并遇到了同样的问题。 I was able to find a post on Github Vue/Vue-cli where they address the issue:我能够在 Github Vue/Vue-cli 上找到一篇帖子,他们解决了这个问题:
https://github.com/vuejs/vue-cli/issues/5489#issuecomment-629326414 https://github.com/vuejs/vue-cli/issues/5489#issuecomment-629326414
That post says they are tracking the issue, but as a note:那篇文章说他们正在跟踪这个问题,但请注意:
Note: as it's only used for the local development server, it's not an actual security vulnerability on Vue CLI projects.
So, I have gone ahead and ignored it for the time being.因此,我暂时忽略了它。 I hope that when they update the NPM package, it will use an updated http-proxy, which addresses the issue.我希望当他们更新 NPM package 时,它将使用更新的 http-proxy,从而解决问题。
According to the tracker itself, it says it is fixed in http-proxy version 1.18.1.根据跟踪器本身,它表示它已在 http-proxy 版本 1.18.1 中修复。
解决方案2
2 2021-05-13 10:38:18
I suggest, before creating vue cli project, upgrade node and npm to the newest versions available.我建议,在创建 vue cli 项目之前,将节点和 npm 升级到可用的最新版本。 I've had the same problem and this solved it partially for me(from 108 vulnerabilities before, to 45 after).我遇到了同样的问题,这为我解决了部分问题(从之前的 108 个漏洞到之后的 45 个)。
解决方案3
0 2023-01-02 22:39:28
No fixes are currently available for these issues.目前没有针对这些问题的修复程序。 npm recommends considering using another package until a patch is available npm 建议考虑使用另一个 package 直到补丁可用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.