lodash - Angular 项目中的 Lodash 漏洞
问题描述
将 npm 安装到 blur-admin 模板后https://github.com/akveo/blur-admin
我通过使用 npm 审计对话框中的运行建议修复了许多问题。但是,即使在运行后我也无法修复
$ npm install lodash@latest --save
我更新了 package.json 中的 lodash 文件:
{
"name": "blur_admin",
"version": "1.3.1",
"devDependencies": {
"bower": "~1.8.4",
"browser-sync": "^2.26.3",
"browser-sync-spa": "~1.0.3",
"chalk": "~1.1.1",
"del": "~2.2.2",
"eslint-plugin-angular": "~0.12.0",
"estraverse": "~4.2.0",
"gulp": "^4.0.0",
"gulp-angular-filesort": "^1.2.1",
"gulp-angular-templatecache": "~2.0.0",
"gulp-autoprefixer": "~3.1.1",
"gulp-eslint": "^5.0.0",
"gulp-filter": "~4.0.0",
"gulp-flatten": "~0.3.1",
"gulp-gh-pages": "^0.5.4",
"gulp-inject": "~4.1.0",
"gulp-load-plugins": "~1.4.0",
"gulp-minify-css": "~1.2.1",
"gulp-minify-html": "~1.0.4",
"gulp-ng-annotate": "~2.0.0",
"gulp-prompt": "^1.1.0",
"gulp-protractor": "^4.1.0",
"gulp-rename": "^1.2.2",
"gulp-replace": "~0.5.4",
"gulp-rev": "~7.1.2",
"gulp-rev-replace": "~0.4.2",
"gulp-sass": "^4.0.1",
"gulp-shell": "^0.5.2",
"gulp-size": "~2.1.0",
"gulp-sourcemaps": "~1.6.0",
"gulp-uglify": "~2.0.0",
"gulp-useref": "^3.1.6",
"gulp-util": "~3.0.6",
"gulp-zip": "^3.0.2",
"http-proxy-middleware": "~0.17.2",
"lodash": "^4.17.11",
"main-bower-files": "~2.13.1",
"uglify-save-license": "~0.4.1",
"wiredep": "~4.0.0",
"wrench": "~1.5.8"
},
"scripts": {
"postinstall": "bower install"
}
}
但仍然得到: PS D:\dev\Blur-Admin test\blur-admin-master\blur-admin-master> npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of browser-sync-spa [dev]
Path browser-sync-spa > opt-merger > lodash
More info https://nodesecurity.io/advisories/577
found 1 low severity vulnerability in 13272 scanned packages
1 vulnerability requires manual review. See the full report for details.
PS D:\dev\Blur-Admin test\blur-admin-master\blur-admin-master>
我什么都试过了!
解决方案
这通常意味着您的其他项目依赖项之一project.json
具有 lodash 依赖项,并且它们尚未修补其pacakge.json
.
错误说明它是哪一个:“browser-sync-spa”及其路径:
browser-sync-spa > opt-merger > lodash
您必须打开一个问题browser-sync-spa
或opt-merger
更新他们repo/package.json
或为他们打开一个 PR。
其他选择是接受它或Fork
他们的项目,即nuclear option
.
推荐阅读
- drop-down-menu - fullPage.js 下拉菜单
- jenkins - 如何使用 Jenkins 按原因获取失败构建的数量
- tensorflow - Tensorflow.js 错误:未知层:GaussianNoise
- javascript - 异步并等待以下获取请求
- python - Reuse ElementTree.iterparse
- django - 使用已经创建的 django 应用程序创建一个 virtualenv
- php - 如何处理动态多维输入名称 (PHP) 的 Post 值
- vba - 访问 vba docmd.applyfilter 获取日期
- c++ - 设置编译器库搜索路径不起作用
- javascript - 为什么这些三元表达式会给出不同的结果?