如何手动修复npm漏洞? [英] How to fix npm vulnerabilities manually?

问题描述

当我运行npm install时，它会显示found 33 vulnerabilities (2 low, 31 moderate) run `npm audit fix` to fix them, or `npm audit` for details.

When I run npm install it says found 33 vulnerabilities (2 low, 31 moderate) run `npm audit fix` to fix them, or `npm audit` for details.

但是，npm audit fix输出up to date in 11s fixed 0 of 33 vulnerabilities in 24653 scanned packages 33 vulnerabilities required manual review and could not be updated

However, npm audit fix outputs up to date in 11s fixed 0 of 33 vulnerabilities in 24653 scanned packages 33 vulnerabilities required manual review and could not be updated

review表示它不应该由用户修复吗?

Does that review mean it is not supposed to be fixed by user?

当我运行npm audit时，它会给我表的列表，类似于此:

When I run npm audit it gives me list of tables, similar to this:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > easy-extender > lodash                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

在此示例中，链接页面的补救部分显示为Update to version 4.17.5 or later..但是，在/node_modules/browser-sync/package.json中有以下行:

In this example remediation section of linked page says Update to version 4.17.5 or later.. However, in /node_modules/browser-sync/package.json there are lines:

"devDependencies": {
    "lodash-cli": "4.17.5",
}

，不再有lodash依赖项.因此它应该已经是v4.17.5.我还检查了具有var VERSION = '4.17.10';行的/node_modules/lodash/lodash.json.在/node_modules/lodash/package.json中有以下几行:

and no more lodash dependencies. So it should already be v4.17.5. I also checked /node_modules/lodash/lodash.json which has var VERSION = '4.17.10'; line. In /node_modules/lodash/package.json there are these lines:

  "_from": "lodash@^4.17.4",
  "_id": "lodash@4.17.10",

我认为版本显示在"_id"中，而不是在"_from"中，因此版本是正确的，但漏洞仍会出现在审核列表中.

I believe that version shown in "_id", not in "_from", so versions are correct but vulnerability still appear in audit list.

我仍然是node.js的新手，这些消息使我感到非常困惑.有什么办法可以手动修复它或摆脱那些消息，我无能为力?

I'm still new in node.js and those messages confuses me a lot. Is there any way to fix it manually or get rid of those messages, I can't do anything with?

推荐答案

中的

lodash-cli不会影响browser-sync在项目中的工作方式，当将软件包安装为依赖项时，会忽略devDependencies

lodash-cli in devDependencies doesn't affect how browser-sync works in your project, devDependencies are ignored when a package is installed as a dependency.

audit报告说的是具有lodash依赖项的easy-extender:

What audit report says is that it's easy-extender that has lodash dependency:

browser-sync > easy-extender > lodash        

取决于Lodash 3 ，而该问题已在Lodash 4中得到解决.可以通过分叉easy-extender，更新并安装它(而不是NPM公共注册表中的软件包)来解决此问题.但是这种依赖性没有真正的问题.

It depends on Lodash 3, while the problem was fixed in Lodash 4. The problem could be fixed by forking easy-extender, updating it and installing it instead of the package from NPM public registry. But there is no real problem with this dependency.

audit报告重要性应手动评估.即使嵌套的依赖项具有安全风险，也并不意味着已使用引入此风险的功能.这也不意味着即使使用它，也会由于使用方式而带来实际风险.

audit report importance should be evaluated manually. Even if nested dependency has security risk, this doesn't mean that a feature that introduces this risk was used. This also doesn't mean that even if it's used, it introduces real risk due to how it's used.

browser-sync是生产中未使用的开发工具，没有太多可以利用其漏洞的方案.而且 Prototype Pollution 根本不是一个漏洞，只是一个软件包没有遵循良好实践的提示，因此可以忽略.

browser-sync is development tool that isn't used in production, there are not so many scenarios where its vulnerabilities could be exploited. And Prototype Pollution isn't a vulnerability at all, just a notice that a package doesn't follow good practices, it can be ignored.

通常，这是修复报告的漏洞的方法:

Generally, this is the way to fix reported vulnerabilities:

• 进行健全性检查
• 如果这是一个实际问题，请检查易受攻击软件包的存储库中是否存在现有问题和 PRs
• 如果没有，请提交问题
• 派生一个存储库或使用现有的PR作为 git依赖，直到在NPM版本中将其修复
• 在嵌套依赖项的情况下，请在多个嵌套级别执行此操作

• Do a sanity check
• In case it's a real problem, check the repository of vulnerable package for existing issues and PRs
• In case there's none, submit an issue
• Fork a repository or use use existing PR as git dependency until it's fixed in NPM release
• In case of nested dependencies, do this at several levels of nesting

通常，您通常不会希望您进行健全性检查.

Most times it's expected that you won't advance beyond a sanity check.

patch-package 可以帮助就地修补嵌套的依赖项，但这不会影响audit报告.

这篇关于如何手动修复npm漏洞?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！