Hoek节点模块的Github潜在安全漏洞错误 [英] Github potential security vulnerability error for hoek node module
问题描述
今天github在我的github存储库上显示以下错误:
Today github is showing following error on my github repository:
我们在您的其中一个发现了潜在的安全漏洞 依赖关系. ./package-lock.json中定义的依赖项已为人所知 安全漏洞,应予以更新.
We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated.
单击查看易受攻击的依赖项"按钮时,显示以下消息:
On clicking on Review vulnerable dependency button following message was displayed:
5.0.3之前的hoek节点模块遭受的修改 通过合并"的假定不可变数据(MAID)漏洞
hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge'
到昨天为止,它没有显示这样的错误.我超过5天没有对该存储库进行任何推送.知道为什么会这样.
Till yesterday it was not showing such error. I have not done any push to this repository for more than 5 days. Any idea why it is happening.
推荐答案
npm update
仅在如果易受攻击的软件包被声明为直接项目的依赖项时才有效.但是通常(如hoek
一样)漏洞存在于那些位于您的子依赖树中的程序包中.
npm update
should work only if the vulnerable package is declared as direct project's dependency. But usually (as in the case of hoek
) vulnerabilities lay in those packages which live down in you sub-dependencies tree.
由于就我而言,我决定不更新项目的所有依赖项(通过删除并重建整个package-lock.json
文件),因此我选择了以下内容(当然还有更多内容)耗时)方法:
Since in my case I decided to not update all the dependencies of my project (by deleting and rebuilding the entire package-lock.json
file), I went for the following (and, of course, more time consuming) approach:
- 查找我的
package-lock.json
中易受攻击的程序包的所有出现次数
- 跟踪依赖项树以查找哪些顶级程序包导入 使用相同的次要版本
- 卸载和重新安装这些顶级程序包
- find all the occurrencies of the vulnerable package in my
package-lock.json
- follow up the dependency tree to find which top-level packages import them
- uninstall and re-install those top-level packages using the same minor version
赞:
npm r package-1 package-2 && npm i package-1@^1.2.3 package-2@^1.2.3
This approach will work only if the vulnerable package was fixed and released and the consuming packages import the vulnerable one with a loose version number open to patch or minor versions.
这篇关于Hoek节点模块的Github潜在安全漏洞错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!