问题出现:
在通过 `ng new hello-world` 命令新建项目时,项目出现以下警告:
found 1 high severity vulnerability run `npm audit fix` to fix them, or `npm audit` for details
命令分析:
扫描项目中的漏洞并自动将任何兼容的更新安装到易受攻击的依赖项:
$ npm audit fix [--force]
扫描项目中的漏洞并显示详细信息,而无需修复任何内容:
$ npm audit
以 JSON 格式获取详细的审计报告:
$ npm audit --json
未解决过程:
1.运行命令 `npm audit fix --force` 后出现提示:
fixed 0 of 1 vulnerability in 42611 scanned packages 1 vulnerability required manual review and could not be updated
2.运行命令 `npm audit --json` 获取审计结果:
npm audit --json { "actions": [ { "action": "review", "module": "tar", "resolves": [ { "id": 803, "path": "@angular-devkit/build-angular>node-sass>node-gyp>tar", "dev": true, "optional": true, "bundled": false } ] } ], "advisories": { "803": { "findings": [ { "version": "2.2.1", "paths": [ "@angular-devkit/build-angular>node-sass>node-gyp>tar" ], "dev": true, "optional": true, "bundled": false } ], "id": 803, "created": "2019-04-04T03:31:56.572Z", "updated": "2019-04-12T15:52:56.353Z", "deleted": null, "title": "Arbitrary File Overwrite", "found_by": { "link": "", "name": "Max Justicz" }, "reported_by": { "link": "", "name": "Max Justicz" }, "module_name": "tar", "cves": [], "vulnerable_versions": "<4.4.2", "patched_versions": ">=4.4.2", "overview": "Versions of `tar` prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.", "recommendation": "Upgrade to version 4.4.2 or later.", "references": "- [HackerOne Report](https://hackerone.com/reports/344595)", "access": "public", "severity": "high", "cwe": "CWE-59", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/803" } }, "muted": [], "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 0, "high": 1, "critical": 0 }, "dependencies": 21, "devDependencies": 42590, "optionalDependencies": 2091, "totalDependencies": 42611 }, "runId": "8e446833-64cb-4b92-8bf0-f297c6ce45ab" }
从打印结果中发现,node-gyp 依赖的 tar 包的版本过低,需要设置到 4.4.2 及以上版本。参考:https://www.npmjs.com/advisories/803
3.关于 node-gyp。
GYP,Generate Your Projects,一个 google 开源的构建系统,最开始用于 Chromium 项目,现在一些其他的开源项目也开始使用 GYP,如 V8 和 node-gyp。参考:http://erikge.com/articles/HelloGyp/
4.暂时用不到 node-gyp,挖好再填。