NPM 审计修复 [英] NPM Audit fixes
问题描述
运行 npm audit
后,我收到了(这只是其中之一)中等警告
After running npm audit
I have (this is just one of) a moderate warning
Moderate │ Prototype pollution
Package │ hoek
Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of │ karma
Path | karma > log4js > loggly > request > hawk > sntp > hoek
我可以看到 hoek
是 karma 的依赖项(在链的下游).查看 GitHub 上的 Karma 存储库,我可以看到已提出此问题,但没有优先考虑立即修复.
I can see that hoek
is a dependency of karma (further down the chain). Looking at the Karma repo on GitHub I can see that this has been raised but no immediate fix has been prioritised.
这是我们现在必须接受的东西,直到他们更新他们的依赖项,还是我们可以告诉我们的应用程序使用更新版本的 hoek
并应用于所有包?
Is this something that we just have to accept for now until they have updated their dependencies or can we tell our application to use a more recent version of hoek
and apply to all packages?
推荐答案
问题是loggly
很久没有更新了,硬编码到request
code> 版本,使用具有指定漏洞的 hoek
版本.有未决问题.
The problem is that loggly
hasn't be updated for a long time and is hard-coded to request
version that uses hoek
version with specified vulnerability. There is open issue.
考虑到这里 hoek
包的作用,它不太可能导致真正的安全问题.
Considering a role of hoek
package here, it's unlikely that it causes real security issue.
从用户的角度来看,可以通过使用修复此依赖项的分支来修复安全问题,例如这个拉取请求:
From a user's perspective, it's possible to fix security issue by using a branch where this dependency is fixed, e.g. this pull request:
"karma": "^2.0.2",
"loggly": "github:winstonjs/node-loggly#pull/79/head"
由于 loggly
分支版本匹配 log4js
中的约束,这用固定的替换了原始的 loggly
(可能需要清除 node_modules
生效).
Since loggly
branch version matches constraints in log4js
, this replaces original loggly
with fixed one (possibly requires to purge node_modules
to take effect).
这会导致
400 错误请求 - POST https://registry.npmjs.org/-/npm/v1/security/audits
400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
npm audit
错误,所以现在应该保持原样.
error for npm audit
, so it likely should be left as is for now.
这篇关于NPM 审计修复的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!