npm_install `1 个高危漏洞` 节点版本:12.18.3
[英]npm_install `1 high severity vulnerability` node version: 12.18.3
问题描述
Installed wss to my Node_modules folder, it has also installed something Called istanbul?
将 wss 安装到我的 Node_modules 文件夹,它还安装了一些叫做 istanbul 的东西? is this normal?这是正常的吗? When installing Wss it installed 47 other packages.. Not sure if that is supposed to happen or if something went wrong.安装 Wss 时,它安装了 47 个其他软件包。不确定是否应该发生这种情况,或者是否出现问题。 Tried updating the package.json file anyway and it has given some errors that I don't really understand.无论如何都尝试更新 package.json 文件,但它给出了一些我不太理解的错误。
Terminal Output is below:终端输出如下:
[letlziml@premium88 ~]$ source /home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/bin/activate && cd /home/letlziml/public_html/0/0/0/0/1/0/1/NodeTest
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g https
ln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
+ https@1.0.0
added 1 package from 1 contributor in 0.457s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g ws
ln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
+ ws@7.3.1
added 1 package from 1 contributor in 0.434s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g wss
ln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
npm WARN deprecated istanbul@0.4.5: This module is no longer maintained, try this instead:
npm WARN deprecated npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
+ wss@3.3.4
added 47 packages from 148 contributors in 3.006s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g osln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
+ os@0.1.1
added 1 package from 1 contributor in 0.511s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm init
This utility will walk you through creating a package.json file.
It only covers the most common items, and tries to guess sensible defaults.
See `npm help init` for definitive documentation on these fields
and exactly what they do.
Use `npm install <pkg>` afterwards to install a package and
save it as a dependency in the package.json file.
Press ^C at any time to quit.
package name: (nodetest) ^C
Sorry, name can only contain URL-friendly characters and name can no longer contain capital letters.
package name: (nodetest) npm WARN init canceled
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm int -y
Usage: npm <command>
where <command> is one of:
access, adduser, audit, bin, bugs, c, cache, ci, cit,
clean-install, clean-install-test, completion, config,
create, ddp, dedupe, deprecate, dist-tag, docs, doctor,
edit, explore, fund, get, help, help-search, hook, i, init,
install, install-ci-test, install-test, it, link, list, ln,
login, logout, ls, org, outdated, owner, pack, ping, prefix,
profile, prune, publish, rb, rebuild, repo, restart, root,
run, run-script, s, se, search, set, shrinkwrap, star,
stars, start, stop, t, team, test, token, tst, un,
uninstall, unpublish, unstar, up, update, v, version, view,
whoami
npm <command> -h quick help on <command>
npm -l display full usage info
npm help <term> search for help on <term>
npm help npm involved overview
Specify configs in the ini-formatted file:
/home/letlziml/.npmrc
or on the command line via: npm <command> --key value
Config info can be viewed via: npm help config
npm@6.14.6 /opt/alt/alt-nodejs12/root/usr/lib/node_modules/npm
Did you mean one of these?
init
it
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm init -y
Wrote to /home/letlziml/public_html/0/0/0/0/1/0/1/NodeTest/package.json:
{
"name": "NodeTest",
"version": "1.0.0",
"description": "",
"main": "app.js",
"dependencies": {},
"devDependencies": {},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g os
+ os@0.1.1
updated 1 package in 0.377s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g fs
+ fs@0.0.1-security
added 1 package in 0.341s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g url
+ url@0.11.0
added 3 packages from 3 contributors in 0.748s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g util
+ util@0.12.3
added 27 packages from 17 contributors in 2.589s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g path
+ path@0.12.7
added 4 packages from 2 contributors in 0.772s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g http
+ http@0.0.1-security
added 1 package in 0.351s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g https
+ https@1.0.0
updated 1 package in 0.326s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g crypto
npm WARN deprecated crypto@1.0.1: This package is no longer supported. It's now a built-in Node module. If you've depended on crypto, you should switch to the one that's built-in.
+ crypto@1.0.1
added 1 package in 0.327s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g events
+ events@3.2.0
added 1 package from 1 contributor in 0.358s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g querystring
+ querystring@0.2.0
added 1 package from 1 contributor in 0.341s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm init -y
Wrote to /home/letlziml/public_html/0/0/0/0/1/0/1/NodeTest/package.json:
{
"name": "NodeTest",
"version": "1.0.0",
"main": "app.js",
"dependencies": {},
"devDependencies": {},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"description": ""
}
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install --save wss
npm WARN deprecated istanbul@0.4.5: This module is no longer maintained, try this instead:
npm WARN deprecated npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm WARN NodeTest@1.0.0 No description
npm WARN NodeTest@1.0.0 No repository field.
+ wss@3.3.4
added 47 packages from 148 contributors and audited 47 packages in 43.684s
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm audit
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! A complete log of this run can be found in:
npm ERR! /home/letlziml/.npm/_logs/2020-10-09T14_58_00_189Z-debug.log
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm audit fix
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! A complete log of this run can be found in:
npm ERR! /home/letlziml/.npm/_logs/2020-10-09T14_58_24_982Z-debug.log
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm i --package-lock-only
npm WARN NodeTest@1.0.0 No description
npm WARN NodeTest@1.0.0 No repository field.
audited 47 packages in 0.911s
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm audit fix
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! A complete log of this run can be found in:
npm ERR! /home/letlziml/.npm/_logs/2020-10-09T15_00_00_845Z-debug.log
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$
Tried npm audit fix as the terminal has suggested, but it is saying that it needs manually review?按照终端的建议尝试了 npm audit fix,但它说它需要手动审查?
1 个解决方案
解决方案1
0 2020-11-11 22:59:11
There are a couple questions here.这里有几个问题。 I'll try to cover them all.我会尽量涵盖所有这些。
it has also installed something Called istanbul?
Yes this is expected, istanbul is a dependency of wss .是的,这是预期的, istanbul是wss的依赖项。
it installed 47 other packages.. Not sure if that is supposed to happen or if something went wrong
This sounds right, wss has 2 direct dependencies ( ws and istanbul ).这听起来wss , wss有 2 个直接依赖项( ws和istanbul )。 ws has no dependencies but istanbul has 14. If you continue down the dependency chain further it should add up to 47 dependencies. ws没有依赖项,但istanbul有 14 个。如果您继续沿着依赖项链向下走,它应该添加多达 47 个依赖项。
Tried npm audit fix as the terminal has suggested, but it is saying that it needs manually review?
There is a security issue in the ws dependency for versions 2.0.0 to 3.3.0 (see audit snippet below).版本 2.0.0 到 3.3.0 的ws依赖项中存在安全问题(请参阅下面的审计片段)。 Unfortunately wss has the ws dependency pinned to version ^2.3.1 (see https://github.com/ivoputzer/wss/blob/master/package.json#L34 ) so no compatible versions are patched.不幸的是wss将ws依赖项固定到版本 ^2.3.1(请参阅https://github.com/ivoputzer/wss/blob/master/package.json#L34 ),因此没有修补兼容版本。 This is an issue that needs to be fixed in the wss library.这是一个需要在wss库中修复的问题。
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 1.1.5 <2.0.0 || >=3.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ wss > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/550 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 47 scanned packages
1 vulnerability requires manual review. See the full report for details.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
React js 应用程序 - 高危漏洞 - immer - React js app - high severity vulnerability - immer
每次运行 npm 安装时都会出现“发现 1 个中等严重性漏洞”警告 - "found 1 moderate severity vulnerability" warning every time I run npm install
npm不支持Node.js v12.18.3 - npm does not support Node.js v12.18.3
错误:“npm install -g @ionic/cli”给了我“4 个高严重性漏洞”和“ERR! 错误号 -4058' - Error: 'npm install -g @ionic/cli' gives me '4 high severity vulnerabilities' & 'ERR! errno -4058'
如何修复 NPM 高危漏洞? (污染) - How to fix NPM high severity vulnerabilities? (Pollution)
npm 安装出现错误:[节点版本:16.2.0 和 npm 版本:7.13.0] - npm install giving errors : [node version : 16.2.0 and npm version : 7.13.0]
npm 安装时不同的节点版本冲突 - different node version conflicts while npm install
安装节点8.0,但npm卡在旧版本上 - Node 8.0 install, but npm stuck on old version
发现 1 个严重漏洞运行 `npm audit fix` 来修复它们,或 `npm audit` 了解详情 - found 1 critical severity vulnerability run `npm audit fix` to fix them, or `npm audit` for details
npm 需要更高节点版本才能安装更高节点版本...? - npm needs higher node version to install higher node version…?
相关标签