npm 审计任意文件覆盖 [英] npm audit Arbitrary File Overwrite
问题描述
我最近使用 ng update
更新了我的 angular 版本在运行 npm audit
时,它发现了 1 个高危漏洞,但没有提供解决方法的建议.它通常建议从 package.json 升级一个包,例如:angular-devkit/build-angular",但我已经在使用他们的最新版本.
I recently updated my version of angular using ng update
and when running npm audit
it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
我想安装 npm i tar
但我不确定.
I thought of installing npm i tar
but I am not sure.
推荐答案
以下对我有用:
进入node_modules > node_gyp > package.json,然后在依赖项下找到tar,将2.0.0替换为4.4.8.
Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.
然后运行:
- npm i
- npm 审计
- npm 审计修复
- npm 审计
您应该看到 0 个漏洞.
you should see 0 vulnerabilities.
我更新了一些 angular 项目,每个项目都有相同的问题.做上述工作一直有效.
I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.
这篇关于npm 审计任意文件覆盖的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!