node.js - npm 显示严重性漏洞 Laravel
问题描述
npm 显示严重漏洞,但使用
npm chache clear
npm cache clear --force
npm audit fix
npm install
我已经尝试了所有这些,但这些都没有解决我的问题,请告诉我如何解决它?
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
added 1505 packages from 755 contributors and audited 18951 packages in 378.007s
found 11 moderate severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
运行npm audit fix
结果
>npm audit fix npm WARN ajv-keywords@3.2.0 requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}) up to date in 118.757s fixed 0 of 11 vulnerabilities in 18990 scanned packages 11 vulnerabilities required manual review and could not be updated
和我的 package.json
{
"private": true,
"scripts": {
"dev": "npm run development",
"development": "cross-env NODE_ENV=development node_modules/webpack/bin/webpack.js --progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js",
"watch": "npm run development -- --watch",
"watch-poll": "npm run watch -- --watch-poll",
"hot": "cross-env NODE_ENV=development node_modules/webpack-dev-server/bin/webpack-dev-server.js --inline --hot --config=node_modules/laravel-mix/setup/webpack.config.js",
"prod": "npm run production",
"production": "cross-env NODE_ENV=production node_modules/webpack/bin/webpack.js --no-progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js"
},
"devDependencies": {
"axios": "^0.18",
"babel-preset-react": "^6.24.1",
"bootstrap": "^4.0.0",
"cross-env": "^5.1",
"jquery": "^3.2",
"laravel-mix": "^2.0",
"lodash": "^4.17.4",
"popper.js": "^1.12",
"vue": "^2.5.7"
},
"dependencies": []
}
解决方案
当前的 Laravel package.json 有这个漏洞是因为hoek
和tunnel-agent
. laravel-mix
正在使用这些包并通过它们的 package.json 加载它们。
在此处查看有关问题的更多信息:
https ://nodesecurity.io/advisories/566
https://nodesecurity.io/advisories/598
如果你删除"laravel-mix": "^2.0"
,漏洞就消失了,但你不能再使用 Laravel Mix 了。
根据此处的讨论,我认为问题已解决。
推荐阅读
- php - 如何从保存在数据库中的文本中使用 php 中的 %variable% 等动态变量?
- javascript - Ajax调用好像缓存在IE11里,怎么每次都强制这个调用?
- java - 使用 https 时检票不正确的可收藏页面 url
- reactjs - 反应和 JavaScript
- logfile - Psychtoolbox - 将信息写入日志文件
- java - 我如何处理我的应用程序要求拨打和管理电话?
- go - 处理动态子域
- android - 构建错误:任务':app:transformNativeLibsWithStripDebugSymbolForDebug的执行失败
- jquery - 如何从json编码数组中减去值然后传递到表中
- javascript - Dc.js:条形图,条形重叠