[英]I installed npm and it had 7 vulnerabilities that had to be fixed manually
Low Prototype Pollution Package minimist Patched in >=0.2.1 =1.2.3 Dependency of lite-server [dev] Path lite-server > minimist More info https://npmjs.com/advisories/1179 High Denial of Service Package http-proxy Patched in >=1.18.1 Dependency of lite-server [dev] Path lite-server > browser-sync > http-proxy More info https://npmjs.com/advisories/1486 Low Prototype Pollution Package yargs-parser Patched in >=13.1.2 =15.0.1 =18.1.2 Dependency of lite-server [dev] Path lite-server > browser-sync > localtunnel > yargs > yargs-parser More info https://npmjs.com/advisories/1500 Low Prototype Pollution Package yargs-parser Patched in >=13.1.2 =15.0.1 =18.1.2 Dependency of lite-server [dev] Path lite-server > browser-sync > yargs > yargs-parser More info https://npmjs.com/advisories/1500 Low Prototype Pollution Package lodash Patched in No patch available Dependency of http-proxy-middleware [dev] Path http-proxy-middleware > lodash More info https://npmjs.com/advisories/1523 Low Prototype Pollution Package lodash Patched in No patch available Dependency of lite-server [dev] Path lite-server > browser-sync > easy-extender > lodash More info https://npmjs.com/advisories/1523 Low Prototype Pollution Package lodash Patched in No patch available Dependency of lite-server [dev] Path lite-server > lodash More info https://npmjs.com/advisories/1523 found 7 vulnerabilities (6 low, 1 high) in 354 scanned packages 7 vulnerabilities require manual review. See the full report for details.
I tried to manually update the version of each package and patch them but still shows the vulnerabilities.我尝试手动更新每个 package 的版本并修补它们,但仍然显示漏洞。 Please can anyone suggest me on how to solve this problem.
请任何人都可以建议我如何解决这个问题。
If you are absolutely certain that you solved all vulnerabilities you'd like to skip the audit, you can do so by appending --no-audit.如果您绝对确定您解决了所有想要跳过审核的漏洞,您可以通过附加 --no-audit 来实现。
npm install --no-audit
or npm will fix for you或 npm 将为您修复
npm audit fix
But this will update version of modules.但这会更新模块的版本。 Which might lead to breaking of code.
这可能会导致代码被破坏。
IF npm audit fix
does not solve the issue, it means there's not yet a combination of your dependency graph that has these issues fixed.如果
npm audit fix
不能解决问题,这意味着您的依赖关系图组合还没有修复这些问题。
This could mean that one of your dependencies has a vulnerable sub-dependency, but they haven't yet upgrade their dependencies.这可能意味着您的依赖项之一具有易受攻击的子依赖项,但它们尚未升级其依赖项。
Best thing you can probably do is open tickets for these packages, like lite-server
.您可能做的最好的事情是打开这些软件包的票,例如
lite-server
。
It might also be worth finding out what the actual vulnerability is.找出实际的漏洞可能也是值得的。 Often vulnerabilities that I see via
npm audit
end up not really affecting me.通常我通过
npm audit
看到的漏洞最终并没有真正影响到我。
lodash prototype pollution problem was fixed at https://github.com/lodash/lodash/pull/4759/ . lodash 原型污染问题已在https://github.com/lodash/lodash/pull/4759/修复。 You should wait for the next lodash release.
您应该等待下一个 lodash 版本。 Also, babel is planning to get rid of lodash( https://github.com/babel/babel/issues/11726 ).
此外,babel 正计划摆脱 lodash( https://github.com/babel/babel/issues/11726 )。
Another problem that is a dependency of lite-server was already reported at https://github.com/johnpapa/lite-server/issues/176 . https://github.com/johnpapa/lite-server/issues/176已经报告了另一个依赖于 lite-server 的问题。 However, lite-server is not maintained right now.
但是,lite-server 目前没有维护。 Maybe, you can manually edit package-lock.json and resolve it.
也许,您可以手动编辑 package-lock.json 并解决它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.