在angular 8中,当我安装npm时,发现了12个高严重性漏洞。
版本:-
Angular CLI: 8.0.3
Node: 10.16.0
OS: linux x64
Angular: 8.0.1
... animations, cdk, common, compiler, compiler-cli, core, forms
... language-service, material, platform-browser
... platform-browser-dynamic, platform-server, router
Package Version
-----------------------------------------------------------
@angular-devkit/architect 0.800.3
@angular-devkit/build-angular 0.800.3
@angular-devkit/build-optimizer 0.800.3
@angular-devkit/build-webpack 0.800.3
@angular-devkit/core 8.0.3
@angular-devkit/schematics 8.0.3
@angular/cli 8.0.3
@angular/fire 5.2.1
@angular/flex-layout 8.0.0-beta.26
@angular/http 7.2.15
@ngtools/webpack 8.0.3
@schematics/angular 8.0.3
@schematics/update 0.800.3
rxjs 6.5.2
typescript 3.4.5
webpack 4.30.0
当我运行命令npm audit时,然后显示
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libcipm > npm-lifecycle > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libcipm > npm-lifecycle > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libnpm > npm-lifecycle > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > libnpm > npm-lifecycle > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > npm-lifecycle > node-gyp > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of npm
Path npm > npm-lifecycle > node-gyp > tar > fstream
More info https://npmjs.com/advisories/886
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > libcipm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > libnpm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of npm
Path npm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
在31845扫描包中发现12个高严重性漏洞12个漏洞需要人工审查。详情请参阅完整报告。
我想找到0严重性漏洞。
打开包。json文件并搜索npm,然后从包中删除npm版本行(如“npm”:“^6.9.0”)。json文件。
然后删除节点\u模块文件夹和包锁。项目中的json文件。
然后使用命令安装npm。
现在您应该看到0漏洞。
这不是一个角度相关的问题npm报告某些包存在已知的安全问题。
您可以尝试运行npm audit fix,让依赖项升级到已知的易受攻击的依赖项(如果有),否则,您必须等待包维护人员修复这些问题。
请记住,尽管安全漏洞非常重要,但也会报告开发包的安全漏洞,这些漏洞可能不会出现在您的生产系统中。
如果升级依赖项或(更改它们)不能解决问题,您就不能自己做任何事情。
