发表新帖
发表新帖

How to fix npm vulnerabilities manually?

后端 未结
关注
4 686
臣服心动
臣服心动 2020-12-04 11:58

When I run npm install it says found 33 vulnerabilities (2 low, 31 moderate) run `npm audit fix` to fix them, or `npm audit` for details.

相关标签:
4条回答
  • 野性不改
    2020-12-04 12:20

    If you are absolutely certain you'd like to skip the audit, you can do so by appending --no-audit

     npm install --no-audit
    0 讨论(0)
  • 故里飘歌
    2020-12-04 12:26

    lodash-cli in devDependencies doesn't affect how browser-sync works in your project, devDependencies are ignored when a package is installed as a dependency.

    What audit report says is that it's easy-extender that has lodash dependency:

    browser-sync > easy-extender > lodash

    It depends on Lodash 3, while the problem was fixed in Lodash 4. The problem could be fixed by forking easy-extender, updating it and installing it instead of the package from NPM public registry. But there is no real problem with this dependency.

    audit report importance should be evaluated manually. Even if nested dependency has security risk, this doesn't mean that a feature that introduces this risk was used. This also doesn't mean that even if it's used, it introduces real risk due to how it's used.

    browser-sync is development tool that isn't used in production, there are not so many scenarios where its vulnerabilities could be exploited. And Prototype Pollution isn't a vulnerability at all, just a notice that a package doesn't follow good practices, it can be ignored.

    Generally, this is the way to fix reported vulnerabilities:

    • Do a sanity check
    • In case it's a real problem, check the repository of vulnerable package for existing issues and PRs
    • In case there's none, submit an issue
    • Fork a repository or use use existing PR as git dependency until it's fixed in NPM release
    • In case of nested dependencies, do this at several levels of nesting

    Most times it's expected that you won't advance beyond a sanity check.

    patch-package can help to patch nested dependencies in-place but this won't affect audit report.

    0 讨论(0)
  • 难免孤独
    2020-12-04 12:32

    'npm audit fix' will increment the version of dependency in package.json which might lead to breaking of code. So better way is to open package-lock.json and updated the dependency/subdependency versions to required version. Maintain the package-lock.json in repository.

    Sometimes vulnerabilities are from dev packages, In that case ignore those vulnerabilities as those are not getting picked up in the production.

    0 讨论(0)
  • 有刺的猬
    2020-12-04 12:36

    The most of the problem occurred in my system was due to npm package. I tried,

    npm un npm

    You don't have to install again.

    Just run program again. It worked for me.

    0 讨论(0)
 看不清?
提交回复
热议问题