node.js 如何手动修复 npm 漏洞?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/51377148/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to fix npm vulnerabilities manually?
提问by Jakupov
When I run npm installit says found 33 vulnerabilities (2 low, 31 moderate)
run `npm audit fix` to fix them, or `npm audit` for details.
当我运行npm install它说found 33 vulnerabilities (2 low, 31 moderate)
run `npm audit fix` to fix them, or `npm audit` for details。
However, npm audit fixoutputs up to date in 11s
fixed 0 of 33 vulnerabilities in 24653 scanned packages
33 vulnerabilities required manual review and could not be updated
然而,npm audit fix输出up to date in 11s
fixed 0 of 33 vulnerabilities in 24653 scanned packages
33 vulnerabilities required manual review and could not be updated
Does that reviewmean it is not supposed to be fixed by user?
这是否review意味着它不应该由用户修复?
When I run npm auditit gives me list of tables, similar to this:
当我运行npm audit它时,它给了我一个表格列表,类似于:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ browser-sync > easy-extender > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
In this example remediation section of linked page says Update to version 4.17.5 or later.. However, in /node_modules/browser-sync/package.jsonthere are lines:
在此示例中,链接页面的修复部分说Update to version 4.17.5 or later.。但是,/node_modules/browser-sync/package.json有几行:
"devDependencies": {
"lodash-cli": "4.17.5",
}
and no more lodash dependencies. So it should already be v4.17.5. I also checked /node_modules/lodash/lodash.jsonwhich has var VERSION = '4.17.10';line. In /node_modules/lodash/package.jsonthere are these lines:
并且不再有 lodash 依赖项。所以它应该已经是 v4.17.5。我还检查了/node_modules/lodash/lodash.json哪个var VERSION = '4.17.10';有线。在/node_modules/lodash/package.json有这些行:
"_from": "lodash@^4.17.4",
"_id": "[email protected]",
I believe that version shown in "_id", not in "_from", so versions are correct but vulnerability still appear in audit list.
我相信“_id”中显示的版本,而不是“_from”中,所以版本是正确的,但漏洞仍然出现在审计列表中。
I'm still new in node.js and those messages confuses me a lot. Is there any way to fix it manually or get rid of those messages, I can't do anything with?
我还是 node.js 的新手,这些消息让我很困惑。有什么办法可以手动修复它或摆脱这些消息,我无能为力吗?
采纳答案by Estus Flask
lodash-cliin devDependenciesdoesn't affect how browser-syncworks in your project, devDependenciesare ignored when a package is installed as a dependency.
lodash-cliindevDependencies不会影响browser-sync项目中的工作方式,devDependencies当包作为依赖项安装时会被忽略。
What auditreport says is that it's easy-extenderthat has lodashdependency:
什么audit报告说的是,这是easy-extender有lodash依赖性:
browser-sync > easy-extender > lodash
It depends on Lodash 3, while the problem was fixed in Lodash 4. The problem could be fixed by forking easy-extender, updating it and installing it instead of the package from NPM public registry. But there is no real problem with this dependency.
它依赖于 Lodash 3,而问题在 Lodash 4 中得到修复。可以通过 fork easy-extender、更新和安装它来解决问题,而不是从 NPM 公共注册表中安装包。但是这种依赖并没有真正的问题。
auditreport importance should be evaluated manually. Even if nested dependency has security risk, this doesn't mean that a feature that introduces this risk was used. This also doesn't mean that even if it's used, it introduces real risk due to how it's used.
audit应手动评估报告重要性。即使嵌套依赖具有安全风险,这并不意味着使用了引入此风险的功能。这也并不意味着即使使用它,它也会由于使用方式而带来真正的风险。
browser-syncis development tool that isn't used in production, there are not so many scenarios where its vulnerabilities could be exploited. And Prototype Pollutionisn't a vulnerability at all, just a notice that a package doesn't follow good practices, it can be ignored.
browser-sync是未在生产中使用的开发工具,可以利用其漏洞的场景并不多。而Prototype Pollution根本就不是一个漏洞,只是一个包没有遵循良好实践的通知,它可以被忽略。
Generally, this is the way to fix reported vulnerabilities:
通常,这是修复报告的漏洞的方法:
- Do a sanity check
- In case it's a real problem, check the repository of vulnerable package for existing issues andPRs
- In case there's none, submit an issue
- Fork a repository or use use existing PR as git dependencyuntil it's fixed in NPM release
- In case of nested dependencies, do this at several levels of nesting
- 做一个健全的检查
- 如果这是一个真正的问题,请检查易受攻击包的存储库中是否存在问题和PR
- 如果没有,请提交问题
- Fork 存储库或使用现有 PR 作为git 依赖项,直到它在 NPM 版本中修复
- 在嵌套依赖项的情况下,在多个嵌套级别执行此操作
Most times it's expected that you won't advance beyond a sanity check.
大多数情况下,预计您不会超越健全性检查。
patch-packagecan help to patch nested dependencies in-place but this won't affect auditreport.
patch-package可以帮助就地修补嵌套的依赖项,但这不会影响audit报告。
回答by Tjad Clark
If you are absolutely certain you'd like to skip the audit, you can do so by appending --no-audit
如果您绝对确定要跳过审核,则可以通过附加 --no-audit 来实现
npm install --no-audit
回答by nik
'npm audit fix' will increment the version of dependency in package.json which might lead to breaking of code. So better way is to open package-lock.json and updated the dependency/subdependency versions to required version. Maintain the package-lock.json in repository.
'npm audit fix' 将增加 package.json 中的依赖版本,这可能会导致代码中断。所以更好的方法是打开 package-lock.json 并将依赖/子依赖版本更新为所需版本。在存储库中维护 package-lock.json。
Sometimes vulnerabilities are from dev packages, In that case ignore those vulnerabilities as those are not getting picked up in the production.
有时漏洞来自开发包,在这种情况下,忽略这些漏洞,因为这些漏洞没有在生产中被发现。
回答by Gaurav Rana
The most of the problem occurred in my system was due to npm package. I tried,
我的系统中出现的大部分问题是由于 npm 包。我试过,
npm un npm
You don't have to install again.
您不必再次安装。
Just run program again. It worked for me.
只需再次运行程序。它对我有用。
