How to fix npm vulnerabilities manually?

余生颓废 提交于 2019-11-26 19:42:33

问题


When I run npm install it says found 33 vulnerabilities (2 low, 31 moderate) run `npm audit fix` to fix them, or `npm audit` for details.

However, npm audit fix outputs up to date in 11s fixed 0 of 33 vulnerabilities in 24653 scanned packages 33 vulnerabilities required manual review and could not be updated

Does that review mean it is not supposed to be fixed by user?

When I run npm audit it gives me list of tables, similar to this:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > easy-extender > lodash                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

In this example remediation section of linked page says Update to version 4.17.5 or later.. However, in /node_modules/browser-sync/package.json there are lines:

"devDependencies": {
    "lodash-cli": "4.17.5",
}

and no more lodash dependencies. So it should already be v4.17.5. I also checked /node_modules/lodash/lodash.json which has var VERSION = '4.17.10'; line. In /node_modules/lodash/package.json there are these lines:

  "_from": "lodash@^4.17.4",
  "_id": "lodash@4.17.10",

I believe that version shown in "_id", not in "_from", so versions are correct but vulnerability still appear in audit list.

I'm still new in node.js and those messages confuses me a lot. Is there any way to fix it manually or get rid of those messages, I can't do anything with?


回答1:


lodash-cli in devDependencies doesn't affect how browser-sync works in your project, devDependencies are ignored when a package is installed as a dependency.

What audit report says is that it's easy-extender that has lodash dependency:

browser-sync > easy-extender > lodash        

It depends on Lodash 3, while the problem was fixed in Lodash 4. The problem could be fixed by forking easy-extender, updating it and installing it instead of the package from NPM public registry. But there is no real problem with this dependency.

audit report importance should be evaluated manually. Even if nested dependency has security risk, this doesn't mean that a feature that introduces this risk was used. This also doesn't mean that even if it's used, it introduces real risk due to how it's used.

browser-sync is development tool that isn't used in production, there are not so many scenarios where its vulnerabilities could be exploited. And Prototype Pollution isn't a vulnerability at all, just a notice that a package doesn't follow good practices, it can be ignored.

Generally, this is the way to fix reported vulnerabilities:

  • Do a sanity check
  • In case it's a real problem, check the repository of vulnerable package for existing issues and PRs
  • In case there's none, submit an issue
  • Fork a repository or use use existing PR as git dependency until it's fixed in NPM release
  • In case of nested dependencies, do this at several levels of nesting

Most times it's expected that you won't advance beyond a sanity check.

patch-package can help to patch nested dependencies in-place but this won't affect audit report.




回答2:


The most of the problem occurred in my system was due to npm package. I tried,

npm un npm

You don't have to install again.

Just run program again. It worked for me.




回答3:


If you are absolutely certain you'd like to skip the audit, you can do so by appending --no-audit

 npm install --no-audit


来源:https://stackoverflow.com/questions/51377148/how-to-fix-npm-vulnerabilities-manually

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!