在安装 firebase-tools npm 的漏洞圈子里走来走去
[英]Going round in vulnerability circles installing firebase-tools npm
问题描述
I'm trying to install firebase tools.
我正在尝试安装 firebase 工具。 However I am presented with this error:但是我遇到了这个错误:
# npm audit report
express <=4.17.2 || 5.0.0-alpha.1 - 5.0.0-alpha.8
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/firebase-tools/node_modules/express
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install firebase-tools@1.2.0, which is a breaking change
node_modules/firebase-tools/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/firebase-tools/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/firebase-tools/node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/firebase-tools/node_modules/superstatic/node_modules/update-notifier
node_modules/firebase-tools/node_modules/update-notifier
firebase-tools >=2.0.0
Depends on vulnerable versions of update-notifier
node_modules/firebase-tools
superstatic >=0.12.11
Depends on vulnerable versions of update-notifier
node_modules/firebase-tools/node_modules/superstatic
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/firebase-tools/node_modules/minimatch
qs 6.5.0 - 6.5.2 || 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/firebase-tools/node_modules/qs
node_modules/firebase-tools/node_modules/request/node_modules/qs
body-parser 1.19.0
Depends on vulnerable versions of qs
node_modules/firebase-tools/node_modules/body-parser
express <=4.17.2 || 5.0.0-alpha.1 - 5.0.0-alpha.8
Depends on vulnerable versions of qs
node_modules/firebase-tools/node_modules/express
10 vulnerabilities (6 moderate, 4 high)
When I run:当我跑步时:
npm audit fix // or
npm audit fix --force
I get the exact same error.我得到完全相同的错误。
I then tried to see if updating the packages manually would help, for example by running:然后我尝试查看手动更新包是否有帮助,例如通过运行:
npm install qs@latest
But I get the exact same issues.但我遇到了完全相同的问题。
I have also我也有
- deleted my package.json-lock file and the nodule modules folder and tried a fresh install.删除了我的 package.json-lock 文件和结节模块文件夹并尝试全新安装。 still yada还是雅达
Why can't I seem to break out of this loop?为什么我似乎无法跳出这个循环?
1 个解决方案
解决方案1
0 2022-12-10 12:01:20
SOLVED:解决了:
I managed to get around it by using the auto install script and not npm from https://firebase.google.com/docs/cli#mac-linux-auto-script :我设法通过使用自动安装脚本而不是来自https://firebase.google.com/docs/cli#mac-linux-auto-script的 npm 来绕过它:
curl -sL https://firebase.tools | bash
I am able now to use firebase init log in and deploy.... phew!我现在可以使用firebase init登录并部署.... 哇!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.