NPM-AUDIT find to high vulnerabilities. What am I supposed to do?

问题

npm audit run on my project and got me this

High Command Injection
Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill

More info https://npmjs.com/advisories/1432

High Command Injection

Package tree-kill

Patched in >=1.2.2

Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > tree-kill

More info https://npmjs.com/advisories/1432

Tree-kill needs to be updated, but is a dep of angular, not mine. So what? Need to wait that angular-team update its own package.json to a newer version of tree-kill?

回答1:

I was having the same problem today and I fixed it by:

1. delete the tree-kill package from the node_modules folder.
2. delete the package-lock.json file.
3. go to the @angular-devkit/build-angular folder in the node_modules folder and edit the package.json file; change tree-kill version from 1.2.1 to 1.2.2
4. go to @ngtools/webpack folder in the node_modules folder and do the same as step 3.

run npm install after that.

回答2:

You can fix this without waiting for a new version of the package @angular-devkit/build-angular.

Just do the following steps:

1. Update your package.json file by adding resolutions section with proper version of package tree-kill:

"resolutions": {
  "tree-kill": "1.2.2"
}

2. Update your package-lock.json by running command:

npx npm-force-resolutions

3. Reinstall NPM packages in your project:

rm -r node_modules
npm install

Run npm audit to check that your project does not have anymore this problem. And don't forget to commit modified files package.json and package-lock.json.

More information about NPM Force Resolutions.

回答3:

I just had this problem too and after some researchs, i found something:

NPM throws error on "audit fix" - Configured registry is not supported

Of course, it's about an other problem but, by adapting the solution given there, it resolved my problem.

So :

• Delete the node_modules folder of tree-kill
• Edit package-lock.json file like it's done but with tree-kill module instead.
• Don't forget to run npm install at the end

I hope i've been clear enough.

回答4:

Check the GitHub repo to see if a fix is being worked on. I found this issue: https://github.com/angular/angular-cli/issues/16629 and a pull request (https://github.com/angular/angular-cli/pull/15894) which removes the dependency.

回答5:

1. Remove the tree-kill package from the node_modules folder & Delete
   the package-lock.json file.

2. Find @angular-devkit/build-angular folder in the node_modules folder and edit the package.json file; change tree-kill version from 1.2.1 to 1.2.2
   Find @ngtools/webpack in the node_modules folder and edit the package.json file; change tree-kill version from 1.2.1 to 1.2.2

3. run npm install.

来源：https://stackoverflow.com/questions/59694224/npm-audit-find-to-high-vulnerabilities-what-am-i-supposed-to-do