npm显示严重漏洞,但使用
npm chache clear
npm cache clear --force
npm audit fix
npm install
我已经尝试了所有这些方法,但都不能解决我的问题,请给我一些想法,我如何解决它?
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
added 1505 packages from 755 contributors and audited 18951 packages in 378.007s
found 11 moderate severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
运行npm audit fix
结果
>npm audit fix npm WARN ajv-keywords@3.2.0 requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}) up to date in 118.757s fixed 0 of 11 vulnerabilities in 18990 scanned packages 11 vulnerabilities required manual review and could not be updated
还有我的package.json
{
"private": true,
"scripts": {
"dev": "npm run development",
"development": "cross-env NODE_ENV=development node_modules/webpack/bin/webpack.js --progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js",
"watch": "npm run development -- --watch",
"watch-poll": "npm run watch -- --watch-poll",
"hot": "cross-env NODE_ENV=development node_modules/webpack-dev-server/bin/webpack-dev-server.js --inline --hot --config=node_modules/laravel-mix/setup/webpack.config.js",
"prod": "npm run production",
"production": "cross-env NODE_ENV=production node_modules/webpack/bin/webpack.js --no-progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js"
},
"devDependencies": {
"axios": "^0.18",
"babel-preset-react": "^6.24.1",
"bootstrap": "^4.0.0",
"cross-env": "^5.1",
"jquery": "^3.2",
"laravel-mix": "^2.0",
"lodash": "^4.17.4",
"popper.js": "^1.12",
"vue": "^2.5.7"
},
"dependencies": []
}
发布于 2018-08-02 04:07:01
由于hoek
和tunnel-agent
,当前的Laravel package.json存在此漏洞。laravel-mix
正在使用这些包并通过它们的package.json加载它们。
请在此处查看有关问题的更多信息:https://nodesecurity.io/advisories/566
https://nodesecurity.io/advisories/598
如果你删除了"laravel-mix": "^2.0"
,漏洞也会消失,但是你不能再使用Laravel Mix了。
根据讨论here,我认为这个问题已经解决了。
发布于 2020-08-14 00:31:41
如果有人仍然有兴趣解决这个问题,我在谷歌上搜索并找到了这个解决方案
将此键值附加到"package.json“文件中的脚本部分
"scripts": {
...
"preinstall": "npx npm-force-resolutions", // <-- appended
},
然后在"scripts“部分后面添加一个新部分,如下所示
"resolutions": { // <-- appended
"yargs-parser": "^18.1.3"
},
现在保存文件并运行"npm install",漏洞就消失了:)
发布于 2018-08-02 00:23:56
这意味着,您下载的包中有11个严重漏洞。
运行npm audit
,它将显示哪些包受到影响。然后检查清楚,如果作者提供了更新。如果没有,你可以自己修复它,这可能是非常困难的,因为你不太了解他们的源码……
但是,大多数最新的包在较新的版本中提供了修复。
https://stackoverflow.com/questions/51631811
复制相似问题