我想修复一个漏洞,经过大量的点击和试验,我想使用由npm审计修复提供的修复。npm审计说:
# Run npm update mkdirp --depth 8 to resolve 10 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ less │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ less > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │
└──────────────现在,我向上面跑去命令,结果是:
npm update mkdirp --depth 8
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN grunt-webpack@2.0.1 requires a peer of webpack@^2.1.0-beta || ^2.2.0-rc || ^2.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN karma-webpack@2.0.3 requires a peer of webpack@^1.1.0 || ^2 || ^2.1.0-beta.0 || ^2.2.0-rc.0 but none is installed. You must install peer dependencies yourself.
npm WARN The package style-loader is included as both a dev and production dependency.
npm WARN The package uuid is included as both a dev and production dependency.
+ mkdirp@0.5.6
added 4 packages from 1 contributor, updated 1 package and audited 1827 packages in 8.439s
4 packages are looking for funding
run `npm fund` for details
found 528 vulnerabilities (31 low, 169 moderate, 228 high, 100 critical)
run `npm audit fix` to fix them, or `npm audit` for details现在,如果我运行npm audit,漏洞就不存在了,但我在package.json文件中看不到任何更改。只有在package-lock.json中进行了更改,我们不应该签入,我如何让npm审计更改package.json,以便可以签入它?
1条答案
按热度按时间b09cbbtk1#
仅在package-lock.json中进行了更改,我们不应签入这些更改
这是错误的,你应该签入这个文件。它的全部意义是确保任何其他使用repo的人都运行与你相同的版本。
作为对您问题的回答(有点晚),如果有意义的话,漏洞可能存在于您的依赖项中的一个依赖项中。例如,您安装了依赖于包B的包A。包A将位于您的package.json中,而包B将仅位于锁定文件中。