如何手动修复npm漏洞? [英] How to fix npm vulnerabilities manually?
问题描述
当我运行npm install
时,它会显示found 33 vulnerabilities (2 low, 31 moderate)
run `npm audit fix` to fix them, or `npm audit` for details
.
When I run npm install
it says found 33 vulnerabilities (2 low, 31 moderate)
run `npm audit fix` to fix them, or `npm audit` for details
.
但是,npm audit fix
输出up to date in 11s
fixed 0 of 33 vulnerabilities in 24653 scanned packages
33 vulnerabilities required manual review and could not be updated
However, npm audit fix
outputs up to date in 11s
fixed 0 of 33 vulnerabilities in 24653 scanned packages
33 vulnerabilities required manual review and could not be updated
review
表示它不应该由用户修复吗?
Does that review
mean it is not supposed to be fixed by user?
当我运行npm audit
时,它会给我表的列表,类似于此:
When I run npm audit
it gives me list of tables, similar to this:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ browser-sync > easy-extender > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
在此示例中,链接页面的补救部分显示为Update to version 4.17.5 or later.
.但是,在/node_modules/browser-sync/package.json
中有以下行:
In this example remediation section of linked page says Update to version 4.17.5 or later.
. However, in /node_modules/browser-sync/package.json
there are lines:
"devDependencies": {
"lodash-cli": "4.17.5",
}
,不再有lodash依赖项.因此它应该已经是v4.17.5.我还检查了具有var VERSION = '4.17.10';
行的/node_modules/lodash/lodash.json
.在/node_modules/lodash/package.json
中有以下几行:
and no more lodash dependencies. So it should already be v4.17.5. I also checked /node_modules/lodash/lodash.json
which has var VERSION = '4.17.10';
line. In /node_modules/lodash/package.json
there are these lines:
"_from": "lodash@^4.17.4",
"_id": "lodash@4.17.10",
我认为版本显示在"_id"中,而不是在"_from"中,因此版本是正确的,但漏洞仍会出现在审核列表中.
I believe that version shown in "_id", not in "_from", so versions are correct but vulnerability still appear in audit list.
我仍然是node.js的新手,这些消息使我感到非常困惑.有什么办法可以手动修复它或摆脱那些消息,我无能为力?
I'm still new in node.js and those messages confuses me a lot. Is there any way to fix it manually or get rid of those messages, I can't do anything with?
推荐答案
What 取决于Lodash 3 ,而该问题已在Lodash 4中得到解决.可以通过分叉 It depends on Lodash 3, while the problem was fixed in Lodash 4. The problem could be fixed by forking 通常,这是修复报告的漏洞的方法: Generally, this is the way to fix reported vulnerabilities: 通常,您通常不会希望您进行健全性检查. Most times it's expected that you won't advance beyond a sanity check. 这篇关于如何手动修复npm漏洞?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!lodash-cli
不会影响browser-sync
在项目中的工作方式,当将软件包安装为依赖项时,会忽略devDependencies
lodash-cli
in devDependencies
doesn't affect how browser-sync
works in your project, devDependencies
are ignored when a package is installed as a dependency.audit
报告说的是具有lodash
依赖项的easy-extender
:audit
report says is that it's easy-extender
that has lodash
dependency:browser-sync > easy-extender > lodash
easy-extender
,更新并安装它(而不是NPM公共注册表中的软件包)来解决此问题.但是这种依赖性没有真正的问题.easy-extender
, updating it and installing it instead of the package from NPM public registry. But there is no real problem with this dependency.audit
报告重要性应手动评估.即使嵌套的依赖项具有安全风险,也并不意味着已使用引入此风险的功能.这也不意味着即使使用它,也会由于使用方式而带来实际风险.audit
report importance should be evaluated manually. Even if nested dependency has security risk, this doesn't mean that a feature that introduces this risk was used. This also doesn't mean that even if it's used, it introduces real risk due to how it's used.browser-sync
是生产中未使用的开发工具,没有太多可以利用其漏洞的方案.而且 Prototype Pollution 根本不是一个漏洞,只是一个软件包没有遵循良好实践的提示,因此可以忽略.browser-sync
is development tool that isn't used in production, there are not so many scenarios where its vulnerabilities could be exploited. And Prototype Pollution isn't a vulnerability at all, just a notice that a package doesn't follow good practices, it can be ignored.
patch-package
可以帮助就地修补嵌套的依赖项,但这不会影响audit
报告.