[英]npm_install `1 high severity vulnerability` node version: 12.18.3
Installed wss to my Node_modules folder, it has also installed something Called istanbul?将 wss 安装到我的 Node_modules 文件夹,它还安装了一些叫做 istanbul 的东西? is this normal?这是正常的吗? When installing Wss it installed 47 other packages.. Not sure if that is supposed to happen or if something went wrong.安装 Wss 时,它安装了 47 个其他软件包。不确定是否应该发生这种情况,或者是否出现问题。 Tried updating the package.json file anyway and it has given some errors that I don't really understand.无论如何都尝试更新 package.json 文件,但它给出了一些我不太理解的错误。
Terminal Output is below:终端输出如下:
[letlziml@premium88 ~]$ source /home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/bin/activate && cd /home/letlziml/public_html/0/0/0/0/1/0/1/NodeTest
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g https
ln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
+ https@1.0.0
added 1 package from 1 contributor in 0.457s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g ws
ln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
+ ws@7.3.1
added 1 package from 1 contributor in 0.434s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g wss
ln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
npm WARN deprecated istanbul@0.4.5: This module is no longer maintained, try this instead:
npm WARN deprecated npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
+ wss@3.3.4
added 47 packages from 148 contributors in 3.006s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g osln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
+ os@0.1.1
added 1 package from 1 contributor in 0.511s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm init
This utility will walk you through creating a package.json file.
It only covers the most common items, and tries to guess sensible defaults.
See `npm help init` for definitive documentation on these fields
and exactly what they do.
Use `npm install <pkg>` afterwards to install a package and
save it as a dependency in the package.json file.
Press ^C at any time to quit.
package name: (nodetest) ^C
Sorry, name can only contain URL-friendly characters and name can no longer contain capital letters.
package name: (nodetest) npm WARN init canceled
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm int -y
Usage: npm <command>
where <command> is one of:
access, adduser, audit, bin, bugs, c, cache, ci, cit,
clean-install, clean-install-test, completion, config,
create, ddp, dedupe, deprecate, dist-tag, docs, doctor,
edit, explore, fund, get, help, help-search, hook, i, init,
install, install-ci-test, install-test, it, link, list, ln,
login, logout, ls, org, outdated, owner, pack, ping, prefix,
profile, prune, publish, rb, rebuild, repo, restart, root,
run, run-script, s, se, search, set, shrinkwrap, star,
stars, start, stop, t, team, test, token, tst, un,
uninstall, unpublish, unstar, up, update, v, version, view,
whoami
npm <command> -h quick help on <command>
npm -l display full usage info
npm help <term> search for help on <term>
npm help npm involved overview
Specify configs in the ini-formatted file:
/home/letlziml/.npmrc
or on the command line via: npm <command> --key value
Config info can be viewed via: npm help config
npm@6.14.6 /opt/alt/alt-nodejs12/root/usr/lib/node_modules/npm
Did you mean one of these?
init
it
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm init -y
Wrote to /home/letlziml/public_html/0/0/0/0/1/0/1/NodeTest/package.json:
{
"name": "NodeTest",
"version": "1.0.0",
"description": "",
"main": "app.js",
"dependencies": {},
"devDependencies": {},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g os
+ os@0.1.1
updated 1 package in 0.377s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g fs
+ fs@0.0.1-security
added 1 package in 0.341s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g url
+ url@0.11.0
added 3 packages from 3 contributors in 0.748s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g util
+ util@0.12.3
added 27 packages from 17 contributors in 2.589s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g path
+ path@0.12.7
added 4 packages from 2 contributors in 0.772s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g http
+ http@0.0.1-security
added 1 package in 0.351s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g https
+ https@1.0.0
updated 1 package in 0.326s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g crypto
npm WARN deprecated crypto@1.0.1: This package is no longer supported. It's now a built-in Node module. If you've depended on crypto, you should switch to the one that's built-in.
+ crypto@1.0.1
added 1 package in 0.327s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g events
+ events@3.2.0
added 1 package from 1 contributor in 0.358s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g querystring
+ querystring@0.2.0
added 1 package from 1 contributor in 0.341s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm init -y
Wrote to /home/letlziml/public_html/0/0/0/0/1/0/1/NodeTest/package.json:
{
"name": "NodeTest",
"version": "1.0.0",
"main": "app.js",
"dependencies": {},
"devDependencies": {},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"description": ""
}
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install --save wss
npm WARN deprecated istanbul@0.4.5: This module is no longer maintained, try this instead:
npm WARN deprecated npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm WARN NodeTest@1.0.0 No description
npm WARN NodeTest@1.0.0 No repository field.
+ wss@3.3.4
added 47 packages from 148 contributors and audited 47 packages in 43.684s
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm audit
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! A complete log of this run can be found in:
npm ERR! /home/letlziml/.npm/_logs/2020-10-09T14_58_00_189Z-debug.log
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm audit fix
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! A complete log of this run can be found in:
npm ERR! /home/letlziml/.npm/_logs/2020-10-09T14_58_24_982Z-debug.log
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm i --package-lock-only
npm WARN NodeTest@1.0.0 No description
npm WARN NodeTest@1.0.0 No repository field.
audited 47 packages in 0.911s
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm audit fix
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! A complete log of this run can be found in:
npm ERR! /home/letlziml/.npm/_logs/2020-10-09T15_00_00_845Z-debug.log
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$
Tried npm audit fix as the terminal has suggested, but it is saying that it needs manually review?按照终端的建议尝试了 npm audit fix,但它说它需要手动审查?
There are a couple questions here.这里有几个问题。 I'll try to cover them all.我会尽量涵盖所有这些。
it has also installed something Called istanbul?它也安装了一些叫做伊斯坦布尔的东西? is this normal?这是正常的吗?
Yes this is expected, istanbul
is a dependency of wss
.是的,这是预期的, istanbul
是wss
的依赖项。
it installed 47 other packages.. Not sure if that is supposed to happen or if something went wrong它安装了 47 个其他软件包.. 不确定这是应该发生的还是出了问题
This sounds right, wss
has 2 direct dependencies ( ws
and istanbul
).这听起来wss
, wss
有 2 个直接依赖项( ws
和istanbul
)。 ws
has no dependencies but istanbul
has 14. If you continue down the dependency chain further it should add up to 47 dependencies. ws
没有依赖项,但istanbul
有 14 个。如果您继续沿着依赖项链向下走,它应该添加多达 47 个依赖项。
Tried npm audit fix as the terminal has suggested, but it is saying that it needs manually review?按照终端的建议尝试了 npm audit fix,但它说它需要手动审查?
There is a security issue in the ws
dependency for versions 2.0.0 to 3.3.0 (see audit snippet below).版本 2.0.0 到 3.3.0 的ws
依赖项中存在安全问题(请参阅下面的审计片段)。 Unfortunately wss
has the ws
dependency pinned to version ^2.3.1 (see https://github.com/ivoputzer/wss/blob/master/package.json#L34 ) so no compatible versions are patched.不幸的是wss
将ws
依赖项固定到版本 ^2.3.1(请参阅https://github.com/ivoputzer/wss/blob/master/package.json#L34 ),因此没有修补兼容版本。 This is an issue that needs to be fixed in the wss
library.这是一个需要在wss
库中修复的问题。
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 1.1.5 <2.0.0 || >=3.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ wss > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/550 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 47 scanned packages
1 vulnerability requires manual review. See the full report for details.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.