使用“npm install"的漏洞问题 [英] Vulnerabilities problem using "npm install"
本文介绍了使用“npm install"的漏洞问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我已经使用 express coserver 命令安装了一个 express 服务器,然后我使用了 .npm install' 命令来安装其他节点包/依赖项,但我得到了这个结果:
I have installed an express server using express coserver command, then I used .npm install' command to install other node packages/dependencies, but I got this result:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of jade
Path jade > transformers > uglify-js
More info https://nodesecurity.io/advisories/39
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of jade
Path jade > transformers > uglify-js
More info https://nodesecurity.io/advisories/48
Critical Sandbox Bypass Leading to Arbitrary Code Execution
Package constantinople
Patched in >=3.1.1
Dependency of jade
Path jade > constantinople
More info https://nodesecurity.io/advisories/568
Low Regular Expression Denial of Service
Package clean-css
Patched in >=4.1.11
Dependency of jade
Path jade > clean-css
More info https://nodesecurity.io/advisories/785
found 4 vulnerabilities (3 low, 1 critical) in 194 scanned packages
4 vulnerabilities require manual review. See the full report for details.
我的 node --version 是 v10.15.0 和 express --version 是 4.16.1 和我使用的是 Windows 10.我不知道是否需要将其他信息放在这里,但如果需要,请告诉我.
My node --version is v10.15.0 and express --version is 4.16.1 and I use Windows 10. I don't know if other information is needed to put here but let me know that if so.
推荐答案
原因:Jade已改名为pug,请安装最新版本的pug而不是jade
reason: Jade has been renamed to pug, please install the latest version of pug instead of jade
修正:
- npm 卸载玉
- npm 安装 pug
这篇关于使用“npm install"的漏洞问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
