如何修复这些漏洞? (npm audit fix 无法修复这些漏洞)
Posted
技术标签:
【中文标题】如何修复这些漏洞? (npm audit fix 无法修复这些漏洞)【英文标题】:How to fix these vulnerabilities? (npm audit fix fails to fix these vulnerabilities) 【发布时间】:2020-02-15 20:35:23 【问题描述】:我的项目有 6 个高度严重的漏洞,我不知道如何修复它们。 npm 审计修复失败。请帮我解决这个问题。
我正在将https://www.npmjs.com/package/toastr 安装到我的项目中,并且在安装后显示了漏洞。不知道有没有关系。 === npm 审计安全报告 ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Machine-In-The-Middle
Package https-proxy-agent
Patched in >=3.0.0
Dependency of @angular/cli [dev]
Path @angular/cli > @schematics/update > pacote >
make-fetch-happen > https-proxy-agent
More info https://npmjs.com/advisories/1184
High Machine-In-The-Middle
Package https-proxy-agent
Patched in >=3.0.0
Dependency of @angular/cli [dev]
Path @angular/cli > pacote > make-fetch-happen >
https-proxy-agent
More info https://npmjs.com/advisories/1184
High Machine-In-The-Middle
Package https-proxy-agent
Patched in >=3.0.0
Dependency of @angular/cli [dev]
Path @angular/cli > @schematics/update > pacote >
npm-registry-fetch > make-fetch-happen > https-proxy-agent
More info https://npmjs.com/advisories/1184
High Machine-In-The-Middle
Package https-proxy-agent
Patched in >=3.0.0
Dependency of @angular/cli [dev]
Path @angular/cli > pacote > npm-registry-fetch >
make-fetch-happen > https-proxy-agent
More info https://npmjs.com/advisories/1184
High Machine-In-The-Middle
Package https-proxy-agent
Patched in >=3.0.0
Dependency of protractor [dev]
Path protractor > browserstack > https-proxy-agent
More info https://npmjs.com/advisories/1184
High Machine-In-The-Middle
Package https-proxy-agent
Patched in >=3.0.0
Dependency of protractor [dev]
Path protractor > saucelabs > https-proxy-agent
More info https://npmjs.com/advisories/1184
【问题讨论】:
【参考方案1】:1) npm i --save-dev npm-force-resolutions
2) 将此添加到您的 package.json 中
“决议”: “https-proxy-agent”:“^3.0.0”
3) 让 npm-force-resolutions 做这件事
rm -r node_modules
npx npm-force-resolutions
npm install
4) 重新运行您的审计 npm 审计。
字体:https://github.com/TooTallNate/node-https-proxy-agent/issues/84#issuecomment-543884972
【讨论】:
此解决方案仅在一段时间内有效,并且再次出现相同的问题 @user11135351 见***.com/questions/64605805/…。【参考方案2】:修复BUILD问题和一般安装问题:
package.json
...
"scripts":
"resolve-install": "npx npm-force-resolutions && npm install"
,
"resolutions":
"https-proxy-agent": "^3.0.0"
然后在cmd
或Dockerfile
中运行而不是npm install
:
npm run resolve-install
【讨论】:
【参考方案3】:看看这个帖子:How do I override nested NPM dependency versions?
只需将相应的包替换为审核中列出的包即可。
【讨论】:
以上是关于如何修复这些漏洞? (npm audit fix 无法修复这些漏洞)的主要内容,如果未能解决你的问题,请参考以下文章
npm audit fix angular 10.0.1 后的错误
运行 `npm audit fix` 来修复它们,或运行 `npm audit` 了解详细信息
npm install issue:27 个漏洞(16 个中等,9 个高,2 个严重)要解决所有问题,运行:npm audit fix --force
ENOLOCK npm 错误!运行 npm audit fix 时出错
[已解决]报错run `npm audit fix` to fix them, or `npm audit` for details
npm run dev 报错 run `npm audit fix` to fix them, or `npm audit` for details