运行 建议的命令无法修复 NPM 漏洞

Running suggested command doesn't fix NPM Vulnerability

在我的项目中每次安装新的 NPM 模块后,我都会收到以下错误:

[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
    Severity: 8 Low | 24 Moderate | 8 High

然后我 运行 npm audit 我得到了 40 个漏洞中每一个的详细信息,例如:

# Run  npm install npm@6.0.1  to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk >  │
│               │ boom > hoek                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

或者这个:

# Run  npm update fsevents --depth 2  to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ chokidar > fsevents > node-pre-gyp > tar-pack > debug        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

所以我 运行 npm install npm@6.0.1 (即使我已经有 6.0.1)然后 npm update fsevents --depth 2 但是在那之后我重新 运行 npm audit 和什么都没有改变,我仍然有 40 个相同的漏洞,其中一些真的很可怕。我该怎么办?

这似乎是 npm 6.0.1 中与处理可选依赖项相关的错误:https://github.com/npm/npm/issues/20577

来源:https://github.com/npm/npm/issues/20675。 一个 fsevents 问题可能与

这一事实有关

fsevents can't be installed on windows, so you will have to update it on a macOS machine.

这有点奇怪,因为查看 exhnozoaa 的解决方案,截至目前似乎另有暗示:

I was able to work around this on Windows with the following steps.

  1. Open package-lock.json in an editor.
  2. Search for "fsevents". Find the one that is an object directly under "dependencies".
  3. Delete "fsevents" (the key and the whole object).
  4. From the terminal, run npm install.

This should regenerate that section with the latest version that is compatible with the other packages. I don't really think this is a good way to fix it, but it is one that worked for me.

这对我在 MacOS 上有效:

  • 将 NPM 更新到新的 6.1.0。它引入了一个'npm audit fix'命令,more info here
  • 运行 'npm audit fix'.

当您再次 运行 'npm audit' 时,唯一剩下的漏洞应该是 "Manual Review" 个问题。

这对我有用:

Do the npm audit suggestions that aren't npm updates
Delete package-lock.json
Delete the node_modules folder
Run npm install again

https://github.com/npm/npm/issues/20684