我安装了 npm,它有 7 个漏洞需要手动修复
[英]I installed npm and it had 7 vulnerabilities that had to be fixed manually
问题描述
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 =1.2.3
Dependency of lite-server [dev]
Path lite-server > minimist
More info https://npmjs.com/advisories/1179
High Denial of Service
Package http-proxy
Patched in >=1.18.1
Dependency of lite-server [dev]
Path lite-server > browser-sync > http-proxy
More info https://npmjs.com/advisories/1486
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 =15.0.1 =18.1.2
Dependency of lite-server [dev]
Path lite-server > browser-sync > localtunnel > yargs >
yargs-parser
More info https://npmjs.com/advisories/1500
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 =15.0.1 =18.1.2
Dependency of lite-server [dev]
Path lite-server > browser-sync > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
Low Prototype Pollution
Package lodash
Patched in No patch available
Dependency of http-proxy-middleware [dev]
Path http-proxy-middleware > lodash
More info https://npmjs.com/advisories/1523
Low Prototype Pollution
Package lodash
Patched in No patch available
Dependency of lite-server [dev]
Path lite-server > browser-sync > easy-extender > lodash
More info https://npmjs.com/advisories/1523
Low Prototype Pollution
Package lodash
Patched in No patch available
Dependency of lite-server [dev]
Path lite-server > lodash
More info https://npmjs.com/advisories/1523
found 7 vulnerabilities (6 low, 1 high) in 354 scanned packages
7 vulnerabilities require manual review. See the full report for details.
I tried to manually update the version of each package and patch them but still shows the vulnerabilities.
我尝试手动更新每个 package 的版本并修补它们,但仍然显示漏洞。 Please can anyone suggest me on how to solve this problem.请任何人都可以建议我如何解决这个问题。
3 个解决方案
解决方案1
1 2020-07-04 05:17:57
If you are absolutely certain that you solved all vulnerabilities you'd like to skip the audit, you can do so by appending --no-audit.如果您绝对确定您解决了所有想要跳过审核的漏洞,您可以通过附加 --no-audit 来实现。
npm install --no-audit
or npm will fix for you或 npm 将为您修复
npm audit fix
But this will update version of modules.但这会更新模块的版本。 Which might lead to breaking of code.这可能会导致代码被破坏。
解决方案2
1 2020-07-04 05:21:31
IF npm audit fix does not solve the issue, it means there's not yet a combination of your dependency graph that has these issues fixed.如果npm audit fix不能解决问题,这意味着您的依赖关系图组合还没有修复这些问题。
This could mean that one of your dependencies has a vulnerable sub-dependency, but they haven't yet upgrade their dependencies.这可能意味着您的依赖项之一具有易受攻击的子依赖项,但它们尚未升级其依赖项。
Best thing you can probably do is open tickets for these packages, like lite-server .您可能做的最好的事情是打开这些软件包的票,例如lite-server 。
It might also be worth finding out what the actual vulnerability is.找出实际的漏洞可能也是值得的。 Often vulnerabilities that I see via npm audit end up not really affecting me.通常我通过npm audit看到的漏洞最终并没有真正影响到我。
解决方案3
1 已采纳 2020-07-05 10:39:19
lodash prototype pollution problem was fixed at https://github.com/lodash/lodash/pull/4759/ . lodash 原型污染问题已在https://github.com/lodash/lodash/pull/4759/修复。 You should wait for the next lodash release.您应该等待下一个 lodash 版本。 Also, babel is planning to get rid of lodash( https://github.com/babel/babel/issues/11726 ).此外,babel 正计划摆脱 lodash( https://github.com/babel/babel/issues/11726 )。
Another problem that is a dependency of lite-server was already reported at https://github.com/johnpapa/lite-server/issues/176 . https://github.com/johnpapa/lite-server/issues/176已经报告了另一个依赖于 lite-server 的问题。 However, lite-server is not maintained right now.但是,lite-server 目前没有维护。 Maybe, you can manually edit package-lock.json and resolve it.也许,您可以手动编辑 package-lock.json 并解决它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.