NPM-AUDIT find to high vulnerabilities. What am I supposed to do?

前端 未结 7 2128
清歌不尽
清歌不尽 2021-02-19 11:16

npm audit run on my project and got me this

High Command Injection
Dependency of @angular-devkit/build-angular [dev]

相关标签:
7条回答
  • 2021-02-19 11:28
    1. Remove the tree-kill package from the node_modules folder & Delete
      the package-lock.json file.

    2. Find @angular-devkit/build-angular folder in the node_modules folder and edit the package.json file; change tree-kill version from 1.2.1 to 1.2.2
      Find @ngtools/webpack in the node_modules folder and edit the package.json file; change tree-kill version from 1.2.1 to 1.2.2

    3. run npm install.
    0 讨论(0)
  • 2021-02-19 11:31

    Check the GitHub repo to see if a fix is being worked on. I found this issue: https://github.com/angular/angular-cli/issues/16629 and a pull request (https://github.com/angular/angular-cli/pull/15894) which removes the dependency.

    0 讨论(0)
  • 2021-02-19 11:33

    I was having the same problem today and I fixed it by:

    1. delete the tree-kill package from the node_modules folder.
    2. delete the package-lock.json file.
    3. go to the @angular-devkit/build-angular folder in the node_modules folder and edit the package.json file; change tree-kill version from 1.2.1 to 1.2.2
    4. go to @ngtools/webpack folder in the node_modules folder and do the same as step 3.

    run npm install after that.

    0 讨论(0)
  • 2021-02-19 11:37

    You can fix this without waiting for a new version of the package @angular-devkit/build-angular.

    Just do the following steps:

    1. Update your package.json file by adding resolutions section with proper version of package tree-kill:
    "resolutions": {
      "tree-kill": "1.2.2"
    }
    
    1. Update your package-lock.json by running command:
    npx npm-force-resolutions
    
    1. Reinstall NPM packages in your project:
    rm -r node_modules
    npm install
    

    Run npm audit to check that your project does not have anymore this problem. And don't forget to commit modified files package.json and package-lock.json.

    More information about NPM Force Resolutions.

    0 讨论(0)
  • 2021-02-19 11:37

    I just had this problem too and after some researchs, i found something:

    NPM throws error on "audit fix" - Configured registry is not supported

    Of course, it's about an other problem but, by adapting the solution given there, it resolved my problem.

    So :

    • Delete the node_modules folder of tree-kill
    • Edit package-lock.json file like it's done but with tree-kill module instead.
    • Don't forget to run npm install at the end

    I hope i've been clear enough.

    0 讨论(0)
  • 2021-02-19 11:40

    Add below code to package.json

    "resolutions": {
    "tree-kill":"1.2.2"
    }
    

    Remove all node modules:

    rm -r node_modules
    

    Update package-lock.json for new version 1.2.2 as :

    npx npm-force-resolutions
    

    Now install node modules:

    npm install
    

    This works for me.

    0 讨论(0)
提交回复
热议问题