After each installation of a new NPM module in my project I get the following error :
[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
Severity: 8 Low | 24 Moderate | 8 High
So then I run npm audit and I get the details for each of the 40 vulnerabilities such as :
# Run npm install npm@6.0.1 to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk > │
│ │ boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
or this :
# Run npm update fsevents --depth 2 to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ chokidar > fsevents > node-pre-gyp > tar-pack > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
So I run npm install npm@6.0.1 (even though I already had 6.0.1) then npm update fsevents --depth 2 But after that I re-run npm audit and nothing has changed, I still have the same 40 vulnerabilities and some of them are really scary. What should I do ?
This worked for me on MacOS:
- Update NPM to the new 6.1.0. It introduces a 'npm audit fix' command, more info here.
- Run 'npm audit fix'.
When you run 'npm audit' again, the only vulnerabilities left should be "Manual Review" issues.
This seems to be a bug in npm 6.0.1 related to handling of optional dependencies: https://github.com/npm/npm/issues/20577
Source: https://github.com/npm/npm/issues/20675.
One fsevents issue may do with the fact that
fseventscan't be installed on windows, so you will have to update it on a macOS machine.
That's a bit strange, since looking at exhnozoaa's solution, as of this date seems to imply otherwise:
I was able to work around this on Windows with the following steps.
- Open
package-lock.jsonin an editor.- Search for
"fsevents". Find the one that is an object directly under"dependencies".- Delete
"fsevents"(the key and the whole object).- From the terminal, run
npm install.This should regenerate that section with the latest version that is compatible with the other packages. I don't really think this is a good way to fix it, but it is one that worked for me.
来源:https://stackoverflow.com/questions/50315186/running-suggested-command-doesnt-fix-npm-vulnerability