NPM-AUDIT发现高漏洞.我应该做些什么? [英] NPM-AUDIT find to high vulnerabilities. What am I supposed to do?

问题描述

npm audit在我的项目上运行，并得到了这个

npm audit run on my project and got me this

高命令注入
@ angular-devkit/build-angular [dev]的依赖关系

High Command Injection
Dependency of @angular-devkit/build-angular [dev]

路径@ angular-devkit/build-angular> @ ngtools/webpack> 树杀

Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill

更多信息 https://npmjs.com/advisories/1432

高级命令注入

打包树杀人

已在> = 1.2.2

Patched in >=1.2.2

@ angular-devkit/build-angular [dev]的依赖关系

Dependency of @angular-devkit/build-angular [dev]

Path @ angular-devkit/build-angular>杀死树

Path @angular-devkit/build-angular > tree-kill

更多信息 https://npmjs.com/advisories/1432

Tree-kill 需要更新，但这是有角度的，而不是我的.所以呢?需要等待那个角度小组将其自己的package.json更新为更新版本的tree-kill吗?

Tree-kill needs to be updated, but is a dep of angular, not mine. So what? Need to wait that angular-team update its own package.json to a newer version of tree-kill?

推荐答案

您可以解决此问题，而无需等待软件包@angular-devkit/build-angular的新版本.

You can fix this without waiting for a new version of the package @angular-devkit/build-angular.

只需执行以下步骤:

1. 通过添加具有正确版本的软件包tree-kill的resolutions部分来更新您的package.json文件:

1. Update your package.json file by adding resolutions section with proper version of package tree-kill:

"resolutions": {
  "tree-kill": "1.2.2"
}

1. 通过运行以下命令更新您的package-lock.json:

npx npm-force-resolutions

1. 在您的项目中重新安装NPM软件包:

rm -r node_modules
npm install

运行npm audit以检查您的项目不再有此问题.并且不要忘记提交修改后的文件package.json和package-lock.json.

Run npm audit to check that your project does not have anymore this problem. And don't forget to commit modified files package.json and package-lock.json.

有关 NPM力决议的更多信息.

这篇关于NPM-AUDIT发现高漏洞.我应该做些什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！