如何修复这些漏洞? (npm audit fix 无法修复这些漏洞)

Posted

技术标签:

【中文标题】如何修复这些漏洞? (npm audit fix 无法修复这些漏洞)【英文标题】:How to fix these vulnerabilities? (npm audit fix fails to fix these vulnerabilities) 【发布时间】:2020-02-15 20:35:23 【问题描述】:

我的项目有 6 个高度严重的漏洞,我不知道如何修复它们。 npm 审计修复失败。请帮我解决这个问题。

我正在将https://www.npmjs.com/package/toastr 安装到我的项目中,并且在安装后显示了漏洞。不知道有没有关系。 === npm 审计安全报告 ===

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance           


High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   @angular/cli [dev]                                            

Path            @angular/cli > @schematics/update > pacote >                  
                make-fetch-happen > https-proxy-agent                         

More info       https://npmjs.com/advisories/1184                             
High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   @angular/cli [dev]                                            

Path            @angular/cli > pacote > make-fetch-happen >                   
                https-proxy-agent                                             

More info       https://npmjs.com/advisories/1184                             
High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   @angular/cli [dev]                                            

Path            @angular/cli > @schematics/update > pacote >                  
                npm-registry-fetch > make-fetch-happen > https-proxy-agent    

More info       https://npmjs.com/advisories/1184                             
High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   @angular/cli [dev]                                            

Path            @angular/cli > pacote > npm-registry-fetch >                  
                make-fetch-happen > https-proxy-agent                         

More info       https://npmjs.com/advisories/1184                             
High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   protractor [dev]                                              

Path            protractor > browserstack > https-proxy-agent                 

More info       https://npmjs.com/advisories/1184                             
High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   protractor [dev]                                              

Path            protractor > saucelabs > https-proxy-agent                    

More info       https://npmjs.com/advisories/1184

【问题讨论】:

【参考方案1】:

1) npm i --save-dev npm-force-resolutions

2) 将此添加到您的 package.json 中

“决议”: “https-proxy-agent”:“^3.0.0”

3) 让 npm-force-resolutions 做这件事

rm -r node_modules
npx npm-force-resolutions
npm install

4) 重新运行您的审计 npm 审计。

字体:https://github.com/TooTallNate/node-https-proxy-agent/issues/84#issuecomment-543884972

【讨论】:

此解决方案仅在一段时间内有效,并且再次出现相同的问题 @user11135351 见***.com/questions/64605805/…。【参考方案2】:

修复BUILD问题和一般安装问题:

package.json


  ...
  "scripts": 
     "resolve-install": "npx npm-force-resolutions && npm install"
  ,
  "resolutions": 
    "https-proxy-agent": "^3.0.0"
  

然后在cmdDockerfile 中运行而不是npm install

npm run resolve-install

【讨论】:

【参考方案3】:

看看这个帖子:How do I override nested NPM dependency versions?

只需将相应的包替换为审核中列出的包即可。

【讨论】:

以上是关于如何修复这些漏洞? (npm audit fix 无法修复这些漏洞)的主要内容,如果未能解决你的问题,请参考以下文章

npm audit fix angular 10.0.1 后的错误

运行 `npm audit fix` 来修复它们,或运行 `npm audit` 了解详细信息

npm install issue:27 个漏洞(16 个中等,9 个高,2 个严重)要解决所有问题,运行:npm audit fix --force

ENOLOCK npm 错误!运行 npm audit fix 时出错

[已解决]报错run `npm audit fix` to fix them, or `npm audit` for details

npm run dev 报错 run `npm audit fix` to fix them, or `npm audit` for details