手動修復 NPM 中的漏洞
[英]Fix vulnerabilities in NPM manually
問題描述
我克隆了一個存儲庫並進行了npm install但最后出現了一些錯誤。 現在每當我運行npm audit我都會收到消息
found 18 vulnerabilities (5 low, 12 moderate, 1 high) in 15548 scanned packages
9 vulnerabilities require semver-major dependency updates.
9 vulnerabilities require manual review. See the full report for details.
無論我做什么,它們都保持不變,我嘗試了npm update 、 npm audit fix 、 npm audit fix --force和其他一些解決方案,但沒有任何效果。 以下是當前安裝的軟件包列表:
D:\NewState\opticare>npm list --depth=0
opticare@0.0.0 D:\NewState\opticare
+-- UNMET PEER DEPENDENCY @angular/animations@5.2.11
+-- @angular/cli@1.7.4
+-- UNMET PEER DEPENDENCY @angular/common@5.2.11
+-- UNMET PEER DEPENDENCY @angular/compiler@5.2.11
+-- @angular/compiler-cli@5.2.11
+-- UNMET PEER DEPENDENCY @angular/core@5.2.11
+-- UNMET PEER DEPENDENCY @angular/forms@5.2.11
+-- @angular/http@5.2.11
+-- UNMET PEER DEPENDENCY @angular/platform-browser@5.2.11
+-- UNMET PEER DEPENDENCY @angular/platform-browser-dynamic@5.2.11
+-- @angular/router@5.2.11
+-- @auth0/angular-jwt@2.1.2
+-- @ng-bootstrap/ng-bootstrap@3.3.1
+-- @swimlane/ngx-charts@7.4.0
+-- @types/datatables.net@1.10.18
+-- @types/jasmine@2.8.16
+-- @types/jquery@3.3.31
+-- @types/node@6.0.118
+-- @types/systemjs@0.20.7
+-- angular-archwizard@3.0.0
+-- angular-datatables@6.0.1
+-- angular2-csv@0.2.9
+-- angular2-spinner@1.0.10
+-- bcrypt-nodejs@0.0.3
+-- chalk@2.4.2
+-- chart.js@2.9.3
+-- codelyzer@4.5.0
+-- core-js@2.6.11
+-- cron@1.8.2
+-- datatables.net@1.10.20
+-- datatables.net-dt@1.10.20
+-- express@4.17.1
+-- file-saver@1.3.8
+-- googleapis@35.0.0
+-- http-errors@1.7.3
+-- install-peerdeps@2.0.1
+-- jasmine-core@2.8.0
+-- jasmine-spec-reporter@4.2.1
+-- jodit-angular@1.0.86
+-- jquery@3.4.1
+-- jsonwebtoken@8.5.1
+-- jwt-decode@2.2.0
+-- karma@2.0.5
+-- karma-chrome-launcher@2.2.0
+-- lodash@4.17.15
+-- moment@2.24.0
+-- moment-timezone@0.5.27
+-- mongoose@5.8.9
+-- mongoose-paginate@5.0.3
+-- multer@1.4.2
+-- ng2-nouislider@1.8.2
+-- ngx-bootstrap@2.0.5
+-- ngx-chips@1.9.8
+-- ngx-toastr@6.5.0
+-- node-cron@1.2.1
+-- node-sass@4.13.1
+-- nodemailer@4.7.0
+-- nouislider@11.1.0
+-- UNMET PEER DEPENDENCY rxjs@5.5.12
+-- shortid@2.2.15
+-- ts-helpers@1.1.2
+-- UNMET PEER DEPENDENCY tslint@^5.0.0
+-- twilio@3.39.3
+-- typescript@2.4.2
+-- xlsx@0.13.5
`-- zone.js@0.8.29
npm ERR! peer dep missing: @angular/animations@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/common@>=6.0.0, required by @auth0/angular-jwt@2.1.2
npm ERR! peer dep missing: @angular/common@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/common@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/common@^6.0.0-rc.0 || ^6.0.0, required by angular2-csv@0.2.9
npm ERR! peer dep missing: @angular/common@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/compiler@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/core@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/core@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/core@^6.0.0-rc.0 || ^6.0.0, required by angular2-csv@0.2.9
npm ERR! peer dep missing: @angular/core@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/forms@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/forms@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/platform-browser@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/platform-browser-dynamic@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: tslint@^5.0.0, required by codelyzer@4.5.0
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: typescript@~2.7.1 || >=2.8.0-dev || >=2.9.0-dev || ~3.0.0 || >=3.0.0-dev || >=3.1.0-dev || >= 3.2.0-dev || >= 3.3.0-dev, required by gulp-typescript@5.0.1
最后是我的package.json文件
{
"name": "opticare",
"version": "0.0.0",
"license": "MIT",
"angular-cli": {},
"scripts": {
"build": "ng build",
"ng": "ng",
"start": "ng serve",
"test": "ng test",
"pree2e": "webdriver-manager update --standalone false --gecko false",
"e2e": "protractor"
},
"private": true,
"dependencies": {
"@angular/animations": "^5.2.0",
"@angular/common": "^5.2.0",
"@angular/compiler": "^5.2.0",
"@angular/compiler-cli": "^5.2.0",
"@angular/core": "^5.2.0",
"@angular/forms": "^5.2.0",
"@angular/http": "^5.2.0",
"@angular/platform-browser": "^5.2.0",
"@angular/platform-browser-dynamic": "^5.2.0",
"@angular/router": "^5.2.0",
"@auth0/angular-jwt": "^2.0.0",
"@ng-bootstrap/ng-bootstrap": "^3.2.2",
"@swimlane/ngx-charts": "^7.4.0",
"angular-archwizard": "^3.0.0",
"angular-datatables": "^6.0.0",
"angular2-csv": "^0.2.5",
"angular2-spinner": "^1.0.10",
"bcrypt-nodejs": "0.0.3",
"chalk": "^2.4.1",
"chart.js": "^2.7.2",
"core-js": "^2.4.1",
"cron": "^1.3.0",
"datatables.net": "^1.10.19",
"datatables.net-dt": "^1.10.19",
"express": "^4.16.3",
"file-saver": "^1.3.8",
"googleapis": "^35.0.0",
"http-errors": "^1.6.3",
"install-peerdeps": "^2.0.1",
"jodit-angular": "^1.0.59",
"jquery": "^3.3.1",
"jsonwebtoken": "^8.1.0",
"jwt-decode": "^2.2.0",
"lodash": "^4.17.10",
"moment": "^2.22.2",
"moment-timezone": "^0.5.21",
"mongoose": "^5.2.4",
"mongoose-paginate": "^5.0.3",
"multer": "^1.3.0",
"ng2-nouislider": "^1.7.7",
"ngx-bootstrap": "^2.0.3",
"ngx-chips": "^1.9.2",
"ngx-toastr": "^6.4.0",
"node-cron": "^1.2.1",
"node-sass": "^4.9.2",
"nodemailer": "^4.6.8",
"nouislider": "^11.0.3",
"rxjs": "^5.5.12",
"shortid": "^2.2.8",
"ts-helpers": "^1.1.1",
"twilio": "^3.19.2",
"typescript": "^2.4.2",
"xlsx": "^0.13.0",
"zone.js": "^0.8.19"
},
"devDependencies": {
"@angular/cli": "^1.7.4",
"@angular/compiler-cli": "^5.2.0",
"@types/datatables.net": "^1.10.12",
"@types/jasmine": "~2.8.3",
"@types/jquery": "^3.3.4",
"@types/node": "~6.0.60",
"@types/systemjs": "^0.20.5",
"codelyzer": "^4.0.1",
"jasmine-core": "~2.8.0",
"jasmine-spec-reporter": "~4.2.1",
"karma-chrome-launcher": "~2.2.0",
"karma": "^2.0.4"
}
}
1 個解決方案
解決方案1
7 已采納 2020-01-26 21:41:28
您必須使用npm audit並實際閱讀審核日志。 將提供關於可以安裝哪些版本來修復漏洞的建議。有關 npm 審計的更多信息,請參閱https://docs.npmjs.com/cli/audit 。
漏洞
您可以使用npm audit獲取所有漏洞的報告。 在每個漏洞的報告中,您還將看到修復它的方法。 當您使用npm audit fix您是在告訴 npm 執行這些修復程序。 但是,Npm 不會自動安裝可能會破壞您的項目的修復程序,例如主要版本更改。 如果您認為漏洞比必須處理可能的重大更改更重要,則必須為這些人手動執行npm install命令。
注意:自編寫以來,引入了npm audit fix --force ,它甚至會執行可能引入破壞性更改的補丁。 使用風險自負,我用過它,結果很糟糕,非常糟糕。
對等依賴
另一個常見的警告是對等依賴警告。 對等依賴指定的不是依賴,而是兼容性。 查看這篇文章,以更好地解釋對等依賴項: https : //stackoverflow.com/a/34645112/1016004
您可以看到對等依賴警告有兩個原因:指定的對等依賴丟失,或者對等依賴的版本錯誤。 在這兩種情況下,您都必須自己找出正確的答案。 要回答的核心問題是您是否可以在項目中安裝依賴項:
- 您是否使用了將在更新中刪除的任何已棄用的功能,是否有任何重大更改適用於您的代碼,...?
- 您是否必須恢復到具有已知漏洞的版本,您使用的方式可能危及用戶數據,......?
不推薦用於生產的簡單解決方案是手動嘗試使用建議版本為漏洞和對等依賴項運行npm install 。 確保有版本控制或備份,以便在最終出現比開始時更多的錯誤時可以恢復。
如果簡單的解決方案沒有解決它,您將不得不尋找屬於無法解決的約束的其他版本的包。 也許任何這些軟件包的以前版本都可以一起工作?
我安裝了 npm,它有 7 個漏洞需要手動修復
[英]I installed npm and it had 7 vulnerabilities that had to be fixed manually
通過 NPM 安裝時出現漏洞錯誤,(npm 審核修復)也無法正常工作
[英]vulnerabilities error while installing via NPM, ( npm audit fix ) also not working
preact-cli 存在嚴重漏洞,npm 審計修復循環運行 (3.0.5 <-> 2.2.1)
[英]preact-cli has high severity vulnerabilities and npm audit fix runs in circles (3.0.5 <-> 2.2.1)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.