如何解决如何修复 NPM 漏洞
运行 npm audit 时,它说我有 87 个漏洞。 npm audit fix 和 npm audit fix --force 不能修复问题。
这里是 npm 审计修复主要问题的输出。
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service
dns-packet <5.2.2
Severity: high
Memory Exposure - https://npmjs.com/advisories/1745
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5,which is a breaking change
postcss 7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service
在 package-lock.json 中进一步检查这里是 dns-packet:
"dns-packet": {
"version": "1.3.1","resolved": "https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz","integrity": "sha512-0UxfQkMhYAUaZI+xrNZOz/as5KgDU0M/fQ9b6SpkyLbk3GEswDi6PADJVaYJradtRVsRIlF1zLyOodbcTCDzUg==","requires": {
"ip": "^1.1.0","safe-buffer": "^5.0.1"
}
},它在 npm 文档上说 dns-packet 的最新版本应该是 5.2.3。我尝试删除 package-lock.json 和节点模块并运行 npm install 但这没有用。以下是 npm install 吐出的内容:
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the Now deprecated request package,see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and Could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and Could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is Now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
npm WARN deprecated request@2.88.2: request has been deprecated,see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims,feature detection in old core-js versions Could cause a slowdown up to 100x even if nothing is polyfilled. Please,upgrade your dependencies to the actual version of core-js.
此时我不知道问题是什么。我有一段时间没有安装任何东西。去安装 redux 和 react-redux,它开始告诉我存在漏洞。不知道从这里去哪里。
编辑:我运行 npm i npm@latest 并在控制台中显示:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! Found: @babel/core@7.12.3
npm ERR! node_modules/@babel/core
npm ERR! @babel/core@"7.12.3" from react-scripts@4.0.3
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"4.0.3" from the root project
npm ERR! @babel/core@"^7.12.3" from @svgr/webpack@5.5.0
npm ERR! node_modules/@svgr/webpack
npm ERR! @svgr/webpack@"5.5.0" from react-scripts@4.0.3
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"4.0.3" from the root project
npm ERR! 9 more (babel-jest,babel-loader,...)
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer @babel/core@"^7.13.0" from @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.13.12
npm ERR! node_modules/@babel/preset-env/node_modules/@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining
npm ERR! @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@"^7.13.12" from @babel/preset-env@7.14.2
npm ERR! node_modules/@babel/preset-env
npm ERR! @babel/preset-env@"^7.12.1" from @svgr/webpack@5.5.0
npm ERR! node_modules/@svgr/webpack
npm ERR! @svgr/webpack@"5.5.0" from react-scripts@4.0.3
npm ERR! node_modules/react-scripts
npm ERR!
npm ERR! Fix the upstream dependency conflict,or retry
npm ERR! this command with --force,or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
解决方法
可能的解决方案是更新所有节点模块 不要忘记备份你的packages.json文件
npm i npm@latest
以root权限运行npm audit fix --force
如果不起作用你必须更新npm
npm install npm@latest -g
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
