npm-audit

问题 I ran this older 10.0.1 angular project today, and it told me it had a lot of low vulnerabilities and a few high ones. so i ran npm audit fix to fix them. but now when I try to run it, it gives me these errors: Error: ./src/main.ts Module build failed (from ./node_modules/@ngtools/webpack/src/ivy/index.js): TypeError: angularCompiler.getResourceDependencies(...) is not a function or its return value is not iterable at getDependencies (C:\Web\vgc\vgc\node_modules\@ngtools\webpack\src\ivy

问题 I ran this older 10.0.1 angular project today, and it told me it had a lot of low vulnerabilities and a few high ones. so i ran npm audit fix to fix them. but now when I try to run it, it gives me these errors: Error: ./src/main.ts Module build failed (from ./node_modules/@ngtools/webpack/src/ivy/index.js): TypeError: angularCompiler.getResourceDependencies(...) is not a function or its return value is not iterable at getDependencies (C:\Web\vgc\vgc\node_modules\@ngtools\webpack\src\ivy

问题 npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities. I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install . However npm audit fix still performs a lot of changes after lock file removal + reinstall. What

问题 npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities. I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install . However npm audit fix still performs a lot of changes after lock file removal + reinstall. What

问题 npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities. I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install . However npm audit fix still performs a lot of changes after lock file removal + reinstall. What

问题 npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities. I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install . However npm audit fix still performs a lot of changes after lock file removal + reinstall. What

问题 I'm trying to understand how npm audit command works. By which algorithm it defines that there is a problem and the most important one how it differentiates the level low / moderate / high / critical 回答1: There is no algorithm. Only people. What npm audit does is look at what package you are using and what version and compare it to npm's vulnerability database. Here's the web interface to that database: https://www.npmjs.com/advisories If you click on any of the "problems" you will see 3

问题 Since last night i'm getting the following error: npm ERR! code ENOAUDIT npm ERR! audit Your configured registry (https://registry.npmjs.org/) does not support audit requests. npm ERR! A complete log of this run can be found in: npm ERR! /home/ransinha/.npm/_logs/2018-11-28T18_19_35_432Z-debug.log I have not made any recent changes. https://github.com/verdaccio/verdaccio/issues/689 suggests changeing in config.yaml file. I don't see any config.yaml file in my folder. I'm not using verdaccio

问题 npm audit run on my project and got me this High Command Injection Dependency of @angular-devkit/build-angular [dev] Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill More info https://npmjs.com/advisories/1432 High Command Injection Package tree-kill Patched in >=1.2.2 Dependency of @angular-devkit/build-angular [dev] Path @angular-devkit/build-angular > tree-kill More info https://npmjs.com/advisories/1432 Tree-kill needs to be updated, but is a dep of angular, not mine. So

问题 npm audit run on my project and got me this High Command Injection Dependency of @angular-devkit/build-angular [dev] Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill More info https://npmjs.com/advisories/1432 High Command Injection Package tree-kill Patched in >=1.2.2 Dependency of @angular-devkit/build-angular [dev] Path @angular-devkit/build-angular > tree-kill More info https://npmjs.com/advisories/1432 Tree-kill needs to be updated, but is a dep of angular, not mine. So