问题描述
在项目中每次安装新的NPM模块后,都会出现以下错误:
After each installation of a new NPM module in my project I get the following error :
[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
Severity: 8 Low | 24 Moderate | 8 High
因此,我运行npm audit
,我获得了40个漏洞中的每一个的详细信息,例如:
So then I run npm audit
and I get the details for each of the 40 vulnerabilities such as :
# Run npm install [email protected] to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk > │
│ │ boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
或者这个:
# Run npm update fsevents --depth 2 to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ chokidar > fsevents > node-pre-gyp > tar-pack > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
所以我先运行npm install [email protected]
(即使我已经有6.0.1),然后再运行npm update fsevents --depth 2
,但是之后我重新运行了npm audit
,并且没有任何变化,我仍然有相同的40个漏洞,其中一些是真的很吓人.我该怎么办?
So I run npm install [email protected]
(even though I already had 6.0.1) then npm update fsevents --depth 2
But after that I re-run npm audit
and nothing has changed, I still have the same 40 vulnerabilities and some of them are really scary. What should I do ?
推荐答案
这在MacOS上对我有用:
This worked for me on MacOS:
- 将NPM更新到新的6.1.0.它引入了"npm审核修复"命令,更多信息在此处.
- 运行"npm审核修复程序".
再次运行"npm审核"时,剩下的唯一漏洞应该是手动审核"问题.
When you run 'npm audit' again, the only vulnerabilities left should be "Manual Review" issues.
这篇关于运行建议的命令不能修复NPM漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!