javascript - 手动修复 NPM 中的漏洞
问题描述
我克隆了一个存储库并做了一个,npm install但最后发生了一些错误。现在,每当我跑步时,npm audit我都会收到消息
found 18 vulnerabilities (5 low, 12 moderate, 1 high) in 15548 scanned packages
9 vulnerabilities require semver-major dependency updates.
9 vulnerabilities require manual review. See the full report for details.
无论我做什么,它们都保持不变,我也尝试了npm update, npm audit fix, npmaudit fix --force和其他一些解决方案,但没有任何效果。以下是当前安装的软件包列表:
D:\NewState\opticare>npm list --depth=0
opticare@0.0.0 D:\NewState\opticare
+-- UNMET PEER DEPENDENCY @angular/animations@5.2.11
+-- @angular/cli@1.7.4
+-- UNMET PEER DEPENDENCY @angular/common@5.2.11
+-- UNMET PEER DEPENDENCY @angular/compiler@5.2.11
+-- @angular/compiler-cli@5.2.11
+-- UNMET PEER DEPENDENCY @angular/core@5.2.11
+-- UNMET PEER DEPENDENCY @angular/forms@5.2.11
+-- @angular/http@5.2.11
+-- UNMET PEER DEPENDENCY @angular/platform-browser@5.2.11
+-- UNMET PEER DEPENDENCY @angular/platform-browser-dynamic@5.2.11
+-- @angular/router@5.2.11
+-- @auth0/angular-jwt@2.1.2
+-- @ng-bootstrap/ng-bootstrap@3.3.1
+-- @swimlane/ngx-charts@7.4.0
+-- @types/datatables.net@1.10.18
+-- @types/jasmine@2.8.16
+-- @types/jquery@3.3.31
+-- @types/node@6.0.118
+-- @types/systemjs@0.20.7
+-- angular-archwizard@3.0.0
+-- angular-datatables@6.0.1
+-- angular2-csv@0.2.9
+-- angular2-spinner@1.0.10
+-- bcrypt-nodejs@0.0.3
+-- chalk@2.4.2
+-- chart.js@2.9.3
+-- codelyzer@4.5.0
+-- core-js@2.6.11
+-- cron@1.8.2
+-- datatables.net@1.10.20
+-- datatables.net-dt@1.10.20
+-- express@4.17.1
+-- file-saver@1.3.8
+-- googleapis@35.0.0
+-- http-errors@1.7.3
+-- install-peerdeps@2.0.1
+-- jasmine-core@2.8.0
+-- jasmine-spec-reporter@4.2.1
+-- jodit-angular@1.0.86
+-- jquery@3.4.1
+-- jsonwebtoken@8.5.1
+-- jwt-decode@2.2.0
+-- karma@2.0.5
+-- karma-chrome-launcher@2.2.0
+-- lodash@4.17.15
+-- moment@2.24.0
+-- moment-timezone@0.5.27
+-- mongoose@5.8.9
+-- mongoose-paginate@5.0.3
+-- multer@1.4.2
+-- ng2-nouislider@1.8.2
+-- ngx-bootstrap@2.0.5
+-- ngx-chips@1.9.8
+-- ngx-toastr@6.5.0
+-- node-cron@1.2.1
+-- node-sass@4.13.1
+-- nodemailer@4.7.0
+-- nouislider@11.1.0
+-- UNMET PEER DEPENDENCY rxjs@5.5.12
+-- shortid@2.2.15
+-- ts-helpers@1.1.2
+-- UNMET PEER DEPENDENCY tslint@^5.0.0
+-- twilio@3.39.3
+-- typescript@2.4.2
+-- xlsx@0.13.5
`-- zone.js@0.8.29
npm ERR! peer dep missing: @angular/animations@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/common@>=6.0.0, required by @auth0/angular-jwt@2.1.2
npm ERR! peer dep missing: @angular/common@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/common@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/common@^6.0.0-rc.0 || ^6.0.0, required by angular2-csv@0.2.9
npm ERR! peer dep missing: @angular/common@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/compiler@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/core@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/core@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/core@^6.0.0-rc.0 || ^6.0.0, required by angular2-csv@0.2.9
npm ERR! peer dep missing: @angular/core@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/forms@^6.1.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: @angular/forms@^6.0.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: @angular/platform-browser@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: @angular/platform-browser-dynamic@^6.0.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: tslint@^5.0.0, required by codelyzer@4.5.0
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/ng-bootstrap@3.3.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by angular-datatables@6.0.1
npm ERR! peer dep missing: rxjs@^6.1.0, required by ngx-chips@1.9.8
npm ERR! peer dep missing: typescript@~2.7.1 || >=2.8.0-dev || >=2.9.0-dev || ~3.0.0 || >=3.0.0-dev || >=3.1.0-dev || >= 3.2.0-dev || >= 3.3.0-dev, required by gulp-typescript@5.0.1
最后是我的package.json文件
{
"name": "opticare",
"version": "0.0.0",
"license": "MIT",
"angular-cli": {},
"scripts": {
"build": "ng build",
"ng": "ng",
"start": "ng serve",
"test": "ng test",
"pree2e": "webdriver-manager update --standalone false --gecko false",
"e2e": "protractor"
},
"private": true,
"dependencies": {
"@angular/animations": "^5.2.0",
"@angular/common": "^5.2.0",
"@angular/compiler": "^5.2.0",
"@angular/compiler-cli": "^5.2.0",
"@angular/core": "^5.2.0",
"@angular/forms": "^5.2.0",
"@angular/http": "^5.2.0",
"@angular/platform-browser": "^5.2.0",
"@angular/platform-browser-dynamic": "^5.2.0",
"@angular/router": "^5.2.0",
"@auth0/angular-jwt": "^2.0.0",
"@ng-bootstrap/ng-bootstrap": "^3.2.2",
"@swimlane/ngx-charts": "^7.4.0",
"angular-archwizard": "^3.0.0",
"angular-datatables": "^6.0.0",
"angular2-csv": "^0.2.5",
"angular2-spinner": "^1.0.10",
"bcrypt-nodejs": "0.0.3",
"chalk": "^2.4.1",
"chart.js": "^2.7.2",
"core-js": "^2.4.1",
"cron": "^1.3.0",
"datatables.net": "^1.10.19",
"datatables.net-dt": "^1.10.19",
"express": "^4.16.3",
"file-saver": "^1.3.8",
"googleapis": "^35.0.0",
"http-errors": "^1.6.3",
"install-peerdeps": "^2.0.1",
"jodit-angular": "^1.0.59",
"jquery": "^3.3.1",
"jsonwebtoken": "^8.1.0",
"jwt-decode": "^2.2.0",
"lodash": "^4.17.10",
"moment": "^2.22.2",
"moment-timezone": "^0.5.21",
"mongoose": "^5.2.4",
"mongoose-paginate": "^5.0.3",
"multer": "^1.3.0",
"ng2-nouislider": "^1.7.7",
"ngx-bootstrap": "^2.0.3",
"ngx-chips": "^1.9.2",
"ngx-toastr": "^6.4.0",
"node-cron": "^1.2.1",
"node-sass": "^4.9.2",
"nodemailer": "^4.6.8",
"nouislider": "^11.0.3",
"rxjs": "^5.5.12",
"shortid": "^2.2.8",
"ts-helpers": "^1.1.1",
"twilio": "^3.19.2",
"typescript": "^2.4.2",
"xlsx": "^0.13.0",
"zone.js": "^0.8.19"
},
"devDependencies": {
"@angular/cli": "^1.7.4",
"@angular/compiler-cli": "^5.2.0",
"@types/datatables.net": "^1.10.12",
"@types/jasmine": "~2.8.3",
"@types/jquery": "^3.3.4",
"@types/node": "~6.0.60",
"@types/systemjs": "^0.20.5",
"codelyzer": "^4.0.1",
"jasmine-core": "~2.8.0",
"jasmine-spec-reporter": "~4.2.1",
"karma-chrome-launcher": "~2.2.0",
"karma": "^2.0.4"
}
}
解决方案
您必须使用npm audit并实际阅读审核日志。其中将提供有关可以安装哪些版本来修复漏洞的建议。有关 npm 审计的更多信息,请参见https://docs.npmjs.com/cli/audit。
漏洞
您可以使用npm audit. 在每个漏洞的报告中,您还将看到修复它的方法。当您使用时,npm audit fix您是在告诉 npm 执行这些修复。然而,Npm 不会自动安装可能会破坏您的项目的修复程序,例如主要版本更改。npm install如果您认为漏洞比处理可能的重大更改更重要,则必须手动执行这些命令。
注意:自编写以来,npm audit fix --force它甚至会执行可能引入重大更改的补丁。使用风险自负,我用过它,结果很糟糕,非常糟糕。
对等依赖
另一个常见的警告是对等依赖警告。对等依赖关系指定的不是依赖关系,而是兼容性。查看这篇文章以更好地解释对等依赖关系:https ://stackoverflow.com/a/34645112/1016004
您可以看到对等依赖项警告有两个原因:缺少指定的对等依赖项,或者对等依赖项的版本错误。在这两种情况下,您都必须自己找出正确的答案。要回答的核心问题是您是否可以在项目中安装依赖项:
- 您是否使用将在更新中删除的任何不推荐使用的功能,是否有任何重大更改适用于您的代码,...?
- 您是否必须恢复到具有已知漏洞的版本,您使用的方式可能会危及用户数据,...?
不推荐用于生产的简单解决方案是手动尝试运行npm install建议版本的漏洞和对等依赖项。确保有版本控制或备份,以便在您最终遇到比开始时更多的错误时可以恢复。
如果简单的解决方案不能解决它,您将不得不寻找其他版本的包,这些包是无法解决的约束的一部分。也许这些软件包的以前版本可以一起工作?
推荐阅读
- elasticsearch - 在 logstash 中使用多个输出时丢失数据
- c# - 如何在 Xamarin 项目中引用 Windows.System 命名空间?
- regex - 使用 grep 正则表达式选择第一个连字符
- scala - 如何在 Spark 中取消透视数据框?
- internet-explorer - IEXPLORE.EXE 是否有任何已知的退出代码?
- excel - Excel:如果数字小于8位,如何在以逗号分隔的数字字符串中添加前导零?
- sql-server - 由于使用 Invoke-SQLCmd 将参数传递给 SQL 文件而导致的错误
- json - Google App Script - 脚本已完成但未返回任何内容且未插入新行
- html - 悬停时,如何覆盖现有的动画样式?
- java - 通过 jenkins/intellij 并行运行 junits 测试以最大化性能