stackoom
  简体   繁体   中英

Github says I have a Node security vulnerability in package-lock (cryptiles) but it's not installed in package.json and I'm not using it, solutions?

 原文  2018-09-29 18:53:35       javascript/ json/ node.js

Question

Basically, I have a node project and recently github has flagged a potential security vulnerability in one of my dependencies.

It's with cryptiles being version 3.1.2 and recommends I go to version 4.1.2.

Cryptiles is in my package-lock.json but I don't currently have it installed in my package.json nor is it being used anywhere in my project.

I've never worked just with package-lock.json, I tried to change the version in there, but when I run npm install, it changes it back. Solutions?

Would upgrading Node solve it? One of my npm modules? Should I just dismiss this since it's not being used in my project? Want to make sure i'm being safe though.

Here is the two sections in my package-lock.json with cryptiles , neither that nor hawk are installed in my package.json 

    },
    "cryptiles": {
      "version": "3.1.2",
      "resolved": "https://registry.npmjs.org/cryptiles/-/cryptiles-3.1.2.tgz",
      "integrity": "sha1-qJ+7Ig9c4l7FboxKqKT9e1sNKf4=",
      "requires": {
        "boom": "5.2.0"
      },

And here: 

},
    "hawk": {
      "version": "6.0.2",
      "resolved": "https://registry.npmjs.org/hawk/-/hawk-6.0.2.tgz",
      "integrity": "sha512-miowhl2+U7Qle4vdLqDdPt9m09K6yZhkLDTWGoUiUzrQCn+mHHSmfJgAyGaLRZbPmTqfFFjRV1QWCW0VWUJBbQ==",
      "requires": {
        "boom": "4.3.1",
        "cryptiles": "3.1.2",
        "hoek": "4.2.1",
        "sntp": "2.1.0"
      },

Would appreciate any help and anyone who can help me understand the situation so this doesn't happen again.

3 answers

solution1
 1  2018-12-17 10:17:26

Found moderate severity vulnerabilities

run npm audit fix to fix them, or npm audit for details

solution2
 0  2019-05-23 18:44:40

npm ls {module name} will allow you to see the dependency tree. Updating the parent dependency usually fixes the transitive dependency (dependency of dependency). This article can be helpful if you need to force a dependency version. https://www.npmjs.com/package/npm-force-resolutions

solution3
 -1  2018-09-29 23:00:19

Following some suggestions above, I followed the depedencies to see which npm module I installed used it. I upgraded the module and it removed the dependency and issue

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Node/NPM: If I upgrade my node version, should I rebuild the package-lock file? I'm getting undefined packages even though I have them in my package.json and node_modules folder How can I save all the installed node modules in package.json? Github package.json conflict when I submit PR Can I use a script alias existing in another node module's package.json? Can I have ternary in "homepage" in package.json? I have little problem installing bcrypt to my package.json How can I have multiple entry points in a package.json? How can I update the package.json using meteor add? Why does package-lock.json have different listed dependencies to package.json?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM