运行 建议的命令无法修复 NPM 漏洞
Running suggested command doesn't fix NPM Vulnerability
在我的项目中每次安装新的 NPM 模块后,我都会收到以下错误:
[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
Severity: 8 Low | 24 Moderate | 8 High
然后我 运行 npm audit
我得到了 40 个漏洞中每一个的详细信息,例如:
# Run npm install npm@6.0.1 to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk > │
│ │ boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
或者这个:
# Run npm update fsevents --depth 2 to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ chokidar > fsevents > node-pre-gyp > tar-pack > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
所以我 运行 npm install npm@6.0.1
(即使我已经有 6.0.1)然后 npm update fsevents --depth 2
但是在那之后我重新 运行 npm audit
和什么都没有改变,我仍然有 40 个相同的漏洞,其中一些真的很可怕。我该怎么办?
这似乎是 npm 6.0.1 中与处理可选依赖项相关的错误:https://github.com/npm/npm/issues/20577
来源:https://github.com/npm/npm/issues/20675。
一个 fsevents
问题可能与
这一事实有关
fsevents
can't be installed on windows, so you will have to update it on a macOS machine.
这有点奇怪,因为查看 exhnozoaa 的解决方案,截至目前似乎另有暗示:
I was able to work around this on Windows with the following steps.
- Open
package-lock.json
in an editor.
- Search for
"fsevents"
. Find the one that is an object directly under "dependencies"
.
- Delete
"fsevents"
(the key and the whole object).
- From the terminal, run
npm install
.
This should regenerate that section with the latest version that is compatible with the other packages. I don't really think this is a good way to fix it, but it is one that worked for me.
这对我在 MacOS 上有效:
- 将 NPM 更新到新的 6.1.0。它引入了一个'npm audit fix'命令,more info here。
- 运行 'npm audit fix'.
当您再次 运行 'npm audit' 时,唯一剩下的漏洞应该是 "Manual Review" 个问题。
这对我有用:
Do the npm audit suggestions that aren't npm updates
Delete package-lock.json
Delete the node_modules folder
Run npm install again
在我的项目中每次安装新的 NPM 模块后,我都会收到以下错误:
[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
Severity: 8 Low | 24 Moderate | 8 High
然后我 运行 npm audit
我得到了 40 个漏洞中每一个的详细信息,例如:
# Run npm install npm@6.0.1 to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk > │
│ │ boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
或者这个:
# Run npm update fsevents --depth 2 to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ chokidar > fsevents > node-pre-gyp > tar-pack > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
所以我 运行 npm install npm@6.0.1
(即使我已经有 6.0.1)然后 npm update fsevents --depth 2
但是在那之后我重新 运行 npm audit
和什么都没有改变,我仍然有 40 个相同的漏洞,其中一些真的很可怕。我该怎么办?
这似乎是 npm 6.0.1 中与处理可选依赖项相关的错误:https://github.com/npm/npm/issues/20577
来源:https://github.com/npm/npm/issues/20675。
一个 fsevents
问题可能与
fsevents
can't be installed on windows, so you will have to update it on a macOS machine.
这有点奇怪,因为查看 exhnozoaa 的解决方案,截至目前似乎另有暗示:
I was able to work around this on Windows with the following steps.
- Open
package-lock.json
in an editor.- Search for
"fsevents"
. Find the one that is an object directly under"dependencies"
.- Delete
"fsevents"
(the key and the whole object).- From the terminal, run
npm install
.This should regenerate that section with the latest version that is compatible with the other packages. I don't really think this is a good way to fix it, but it is one that worked for me.
这对我在 MacOS 上有效:
- 将 NPM 更新到新的 6.1.0。它引入了一个'npm audit fix'命令,more info here。
- 运行 'npm audit fix'.
当您再次 运行 'npm audit' 时,唯一剩下的漏洞应该是 "Manual Review" 个问题。
这对我有用:
Do the npm audit suggestions that aren't npm updates Delete package-lock.json Delete the node_modules folder Run npm install again