node.js - 对 npm install 进行漏洞审计
问题描述
我正在制作一个带有 node express 后端的网站,它为公共目录中的一个 react 应用程序提供服务。在我的计算机上一切正常,我将所有这些都放在 AWS 服务器上,为我的服务器运行 npm install,并为我在公共目录中的应用程序运行,这就是我收到该消息的地方:
/public$ npm audit fix
up to date, audited 1960 packages in 5s
# npm audit report
public *
Severity: high
Cross-Site Scripting - https://npmjs.com/advisories/1000
Path Traversal - https://npmjs.com/advisories/571
Cross-Site Scripting - https://npmjs.com/advisories/609
fix available via `npm audit fix`
1 high severity vulnerability
To address all issues, run:
npm audit fix
我的电脑上一切都很好,我尝试重新开始,清空 node_modules 目录然后重新安装,但还是一样。我想我一定没有复制/删除一些文件,但我不知道从哪里开始,而且我不知道什么是“公共 *”是一个模块?如果您有一些想法,欢迎您!
解决方案
By default, when you run npm install
, another command, called npm audit
is also executed. It's a tool to check if your project's dependencies have some known vulnerabilities.
It has nothing to do with your environment, local or AWS, it's all about dependencies.
Auditing package dependencies for security vulnerabilities
The npm audit --fix
can automatically fix vulnerabilities, however, documentation says that in some cases manual intervention might be required.
You need to closely look at the output of the command, maybe, if interested, read about the vulnerability and fix it.
推荐阅读
- reactjs - 在 Enzyme 中安装时通过 HOC 获取道具
- matlab - 线的颜色和宽度根据矩阵的值
- flutter - Flutter 有状态小部件
- python - 如何解决django app deploy without port number时目标脚本无法加载为python模块的错误
- angular6 - ngrx 和导出成员错误 [没有导出成员]
- shell - 使用 SSHJ 实现跳转主机
- postgresql - 如何在触发函数中使用json字符串元素而不将其声明为变量
- python-3.x - os.system(cmd) 调用因重定向运算符而失败
- ajax - 为什么在使用 ajax 时需要更改 url
- pyqt5 - 更改 QLabel 的形状