NPM-AUDIT发现高漏洞.我应该做些什么? [英] NPM-AUDIT find to high vulnerabilities. What am I supposed to do?
问题描述
npm audit
在我的项目上运行,并得到了这个
npm audit
run on my project and got me this
高命令注入
@ angular-devkit/build-angular [dev]的依赖关系
High Command Injection
Dependency of @angular-devkit/build-angular [dev]
路径@ angular-devkit/build-angular> @ ngtools/webpack> 树杀
Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill
更多信息 https://npmjs.com/advisories/1432
高级命令注入
打包树杀人
已在> = 1.2.2
Patched in >=1.2.2
@ angular-devkit/build-angular [dev]的依赖关系
Dependency of @angular-devkit/build-angular [dev]
Path @ angular-devkit/build-angular>杀死树
Path @angular-devkit/build-angular > tree-kill
更多信息 https://npmjs.com/advisories/1432
Tree-kill 需要更新,但这是有角度的,而不是我的.所以呢?需要等待那个角度小组将其自己的package.json更新为更新版本的tree-kill吗?
Tree-kill needs to be updated, but is a dep of angular, not mine. So what? Need to wait that angular-team update its own package.json to a newer version of tree-kill?
推荐答案
您可以解决此问题,而无需等待软件包@angular-devkit/build-angular
的新版本.
You can fix this without waiting for a new version of the package @angular-devkit/build-angular
.
只需执行以下步骤:
- 通过添加具有正确版本的软件包
tree-kill
的resolutions
部分来更新您的package.json
文件:
- Update your
package.json
file by addingresolutions
section with proper version of packagetree-kill
:
"resolutions": {
"tree-kill": "1.2.2"
}
- 通过运行以下命令更新您的
package-lock.json
:
npx npm-force-resolutions
- 在您的项目中重新安装NPM软件包:
rm -r node_modules
npm install
运行npm audit
以检查您的项目不再有此问题.并且不要忘记提交修改后的文件package.json
和package-lock.json
.
Run npm audit
to check that your project does not have anymore this problem. And don't forget to commit modified files package.json
and package-lock.json
.
有关 NPM力决议的更多信息.
这篇关于NPM-AUDIT发现高漏洞.我应该做些什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!