• 未解决:found 1 high severity vulnerability run `npm audit fix` to fix them, or `npm audit` for details


    问题出现:

    在通过 `ng new hello-world` 命令新建项目时,项目出现以下警告:

    found 1 high severity vulnerability
      run `npm audit fix` to fix them, or `npm audit` for details

    命令分析:

    扫描项目中的漏洞并自动将任何兼容的更新安装到易受攻击的依赖项:

    $ npm audit fix [--force]

    扫描项目中的漏洞并显示详细信息,而无需修复任何内容:

    $ npm audit

    以 JSON 格式获取详细的审计报告:

    $ npm audit --json

    未解决过程:

    1.运行命令 `npm audit fix --force` 后出现提示:

    fixed 0 of 1 vulnerability in 42611 scanned packages
      1 vulnerability required manual review and could not be updated

    2.运行命令 `npm audit --json` 获取审计结果:

    npm audit --json
    {
    "actions": [
    {
    "action": "review",
    "module": "tar",
    "resolves": [
    {
    "id": 803,
    "path": "@angular-devkit/build-angular>node-sass>node-gyp>tar",
    "dev": true,
    "optional": true,
    "bundled": false
    }
    ]
    }
    ],
    "advisories": {
    "803": {
    "findings": [
    {
    "version": "2.2.1",
    "paths": [
    "@angular-devkit/build-angular>node-sass>node-gyp>tar"
    ],
    "dev": true,
    "optional": true,
    "bundled": false
    }
    ],
    "id": 803,
    "created": "2019-04-04T03:31:56.572Z",
    "updated": "2019-04-12T15:52:56.353Z",
    "deleted": null,
    "title": "Arbitrary File Overwrite",
    "found_by": {
    "link": "",
    "name": "Max Justicz"
    },
    "reported_by": {
    "link": "",
    "name": "Max Justicz"
    },
    "module_name": "tar",
    "cves": [],
    "vulnerable_versions": "<4.4.2",
    "patched_versions": ">=4.4.2",
    "overview": "Versions of `tar` prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.",
    "recommendation": "Upgrade to version 4.4.2 or later.",
    "references": "- [HackerOne Report](https://hackerone.com/reports/344595)",
    "access": "public",
    "severity": "high",
    "cwe": "CWE-59",
    "metadata": {
    "module_type": "",
    "exploitability": 5,
    "affected_components": ""
    },
    "url": "https://npmjs.com/advisories/803"
    }
    },
    "muted": [],
    "metadata": {
    "vulnerabilities": {
    "info": 0,
    "low": 0,
    "moderate": 0,
    "high": 1,
    "critical": 0
    },
    "dependencies": 21,
    "devDependencies": 42590,
    "optionalDependencies": 2091,
    "totalDependencies": 42611
    },
    "runId": "8e446833-64cb-4b92-8bf0-f297c6ce45ab"
    }

    从打印结果中发现,node-gyp 依赖的 tar 包的版本过低,需要设置到 4.4.2 及以上版本。参考:https://www.npmjs.com/advisories/803

    3.关于 node-gyp。

    GYP,Generate Your Projects,一个 google 开源的构建系统,最开始用于 Chromium 项目,现在一些其他的开源项目也开始使用 GYP,如 V8 和 node-gyp。参考:http://erikge.com/articles/HelloGyp/

    4.暂时用不到 node-gyp,挖好再填。

  • 相关阅读:
    android 手把手教您自定义ViewGroup(一)
    mac下tomcat的安装与配置
    jarsigner签名报错Invalid keystore format
    android上引入七牛 上传图片或者文件 最终整理版本(可用)
    viewpage listview gridview加载本地大图多图OOM处理办法
    android TextView 文字垂直的设置
    javascript技巧之实现add方法无限调用
    jQuery源码分析之ready方法
    jQuery源码分析之Callbacks方法
    jQuery源码分析之extend方法
  • 原文地址:https://www.cnblogs.com/wyhcool/p/10816301.html
Copyright © 2020-2023  润新知