npm 审计如何工作? [英] How npm audit works?

问题描述

我正在尝试了解 npm audit 命令的工作原理.

I'm trying to understand how npm audit command works.

通过哪个算法来定义有问题

By which algorithm it defines that there is a problem

以及最重要的是它如何区分级别低/中/高/严重

and the most important one how it differentiates the level low / moderate / high / critical

推荐答案

没有算法.只有人.

npm 审计的作用是查看您使用的软件包和版本，并将其与 npm 的漏洞数据库进行比较.这是该数据库的 Web 界面:https://www.npmjs.com/advisories

What npm audit does is look at what package you are using and what version and compare it to npm's vulnerability database. Here's the web interface to that database: https://www.npmjs.com/advisories

如果您点击任何问题"，您将看到 3 条信息:问题描述、建议的修复和报告问题的链接.

If you click on any of the "problems" you will see 3 pieces of information: description of the problem, the recommended fix and a link to where the problem was reported.

至于 npm 如何确定问题的严重性，它没有.人们决定问题的严重程度.

As to how npm determines the severity of the problem, it does not. People determine the severity of the problems.

而且几乎所有这些都是由志愿者完成的.这是开源的承诺之一:只要有足够的眼睛观察您的非隐藏代码错误，就可以发现.

And almost all of it is done by volunteers. This is one of the promises of open-source: with enough eyes looking at your non-hidden code bugs can be spotted.

这篇关于npm 审计如何工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！