NPM 审计修复 [英] NPM Audit fixes

问题描述

运行 npm audit 后，我收到了(这只是其中之一)中等警告

After running npm audit I have (this is just one of) a moderate warning

Moderate      │ Prototype pollution
Package       │ hoek
Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of │ karma
Path          | karma > log4js > loggly > request > hawk > sntp > hoek

我可以看到 hoek 是 karma 的依赖项(在链的下游).查看 GitHub 上的 Karma 存储库，我可以看到已提出此问题，但没有优先考虑立即修复.

I can see that hoek is a dependency of karma (further down the chain). Looking at the Karma repo on GitHub I can see that this has been raised but no immediate fix has been prioritised.

这是我们现在必须接受的东西，直到他们更新他们的依赖项，还是我们可以告诉我们的应用程序使用更新版本的 hoek 并应用于所有包?

Is this something that we just have to accept for now until they have updated their dependencies or can we tell our application to use a more recent version of hoek and apply to all packages?

推荐答案

问题是loggly很久没有更新了，硬编码到requestcode> 版本，使用具有指定漏洞的 hoek 版本.有未决问题.

The problem is that loggly hasn't be updated for a long time and is hard-coded to request version that uses hoek version with specified vulnerability. There is open issue.

考虑到这里 hoek 包的作用，它不太可能导致真正的安全问题.

Considering a role of hoek package here, it's unlikely that it causes real security issue.

从用户的角度来看，可以通过使用修复此依赖项的分支来修复安全问题，例如这个拉取请求:

From a user's perspective, it's possible to fix security issue by using a branch where this dependency is fixed, e.g. this pull request:

"karma": "^2.0.2",
"loggly": "github:winstonjs/node-loggly#pull/79/head"

由于 loggly 分支版本匹配 log4js 中的约束，这用固定的替换了原始的 loggly(可能需要清除 node_modules 生效).

Since loggly branch version matches constraints in log4js, this replaces original loggly with fixed one (possibly requires to purge node_modules to take effect).

这会导致

400 错误请求 - POST https://registry.npmjs.org/-/npm/v1/security/audits

400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits

npm audit 错误，所以现在应该保持原样.

error for npm audit, so it likely should be left as is for now.

这篇关于NPM 审计修复的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！