NPM 仍然给出警告,npm audix fix 不工作
NPM still gives warnings, npm audix fix not working
我的项目的 package.json 依赖项:
"dependencies": {
"@babel/cli": "^7.0.0-beta.51",
"@babel/core": "^7.0.0-beta.51",
"@babel/preset-env": "^7.0.0-beta.51",
"babel-loader": "^8.0.0-beta.4",
"babel-plugin-add-module-exports": "^1.0.0",
"babel-plugin-istanbul": "^5.1.0",
"babel-preset-env": "^7.0.0-beta.3",
"babel-register": "^7.0.0-beta.3",
"build": "^0.1.4",
"jsdom": "^14.0.0",
"jsdom-global": "3.0.2",
"moment": "^2.24.0",
"nyc": "^13.1.0",
"rimraf": "^2.6.3",
"webpack": "^4.12.2",
"webpack-cli": "^3.0.8",
"yargs": "^13.2.2"
},
当我 运行 "npm i" 时,我仍然看到:
audited 14173 packages in 5.084s
found 6 vulnerabilities (4 low, 1 moderate, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
当我 运行“npm 审计”时:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Denial of Service
Package js-yaml
Patched in >=3.13.0
Dependency of build
Path build > jxLoader > js-yaml
More info https://npmjs.com/advisories/788
Critical Deserialization Code Execution
Package js-yaml
Patched in >= 2.0.5
Dependency of build
Path build > jxLoader > js-yaml
More info https://npmjs.com/advisories/16
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of build
Path build > uglify-js
More info https://npmjs.com/advisories/39
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of build
Path build > uglify-js
More info https://npmjs.com/advisories/48
Low Regular Expression Denial of Service
Package braces
Patched in >=2.3.1
Dependency of babel-register
Path babel-register > babel-core > micromatch > braces
More info https://npmjs.com/advisories/786
Low Regular Expression Denial of Service
Package timespan
Patched in No patch available
Dependency of build
Path build > timespan
More info https://npmjs.com/advisories/533
当我尝试运行“npm audit fix”时,它说:
up to date in 4.704s
fixed 0 of 6 vulnerabilities in 14173 scanned packages
6 vulnerabilities required manual review and could not be updated
我已经尝试删除“package-lock.json”文件并重试,已经尝试清除 npm 缓存,并尝试手动更新包,none 这些步骤似乎正在工作。有人知道如何解决这个问题吗?
谢谢
我终于自己修复了它,手动将所有包更新到最新版本,并删除了“build”:“^0.1.4”包,因为它不再更新。
我的项目的 package.json 依赖项:
"dependencies": {
"@babel/cli": "^7.0.0-beta.51",
"@babel/core": "^7.0.0-beta.51",
"@babel/preset-env": "^7.0.0-beta.51",
"babel-loader": "^8.0.0-beta.4",
"babel-plugin-add-module-exports": "^1.0.0",
"babel-plugin-istanbul": "^5.1.0",
"babel-preset-env": "^7.0.0-beta.3",
"babel-register": "^7.0.0-beta.3",
"build": "^0.1.4",
"jsdom": "^14.0.0",
"jsdom-global": "3.0.2",
"moment": "^2.24.0",
"nyc": "^13.1.0",
"rimraf": "^2.6.3",
"webpack": "^4.12.2",
"webpack-cli": "^3.0.8",
"yargs": "^13.2.2"
},
当我 运行 "npm i" 时,我仍然看到:
audited 14173 packages in 5.084s
found 6 vulnerabilities (4 low, 1 moderate, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
当我 运行“npm 审计”时:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Denial of Service
Package js-yaml
Patched in >=3.13.0
Dependency of build
Path build > jxLoader > js-yaml
More info https://npmjs.com/advisories/788
Critical Deserialization Code Execution
Package js-yaml
Patched in >= 2.0.5
Dependency of build
Path build > jxLoader > js-yaml
More info https://npmjs.com/advisories/16
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of build
Path build > uglify-js
More info https://npmjs.com/advisories/39
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of build
Path build > uglify-js
More info https://npmjs.com/advisories/48
Low Regular Expression Denial of Service
Package braces
Patched in >=2.3.1
Dependency of babel-register
Path babel-register > babel-core > micromatch > braces
More info https://npmjs.com/advisories/786
Low Regular Expression Denial of Service
Package timespan
Patched in No patch available
Dependency of build
Path build > timespan
More info https://npmjs.com/advisories/533
当我尝试运行“npm audit fix”时,它说:
up to date in 4.704s
fixed 0 of 6 vulnerabilities in 14173 scanned packages
6 vulnerabilities required manual review and could not be updated
我已经尝试删除“package-lock.json”文件并重试,已经尝试清除 npm 缓存,并尝试手动更新包,none 这些步骤似乎正在工作。有人知道如何解决这个问题吗? 谢谢
我终于自己修复了它,手动将所有包更新到最新版本,并删除了“build”:“^0.1.4”包,因为它不再更新。