我试图更新NPM版本,最新6.14.7
的的package.json。
将npm更新为最新版本后,我运行npm audit
了dot-prop
npm路径下显示的程序包依赖项的两个漏洞。
因此,我尝试更新最新版本dot-prop
^5.1.1
。但是仍然出现相同的错误。
请为此提供帮助,我该如何手动查看和修复。
审计报告:
[root@redhatdev client]# npm audit === npm audit security report === Manual Review Some vulnerabilities require your attention to resolve Visit https://go.npm.me/audit-guide for additional guidance High Prototype Pollution Package dot-prop Patched in >=5.1.1 Dependency of npm [dev] Path npm libnpx update-notofoer configstore dot-prop More info https://npmjs.com/advisories/1213 High Prototype Pollution Package dot-prop Patched in >=5.1.1 Dependency of npm [dev] Path npm update-notofoer configstore dot-prop More info https://npmjs.com/advisories/1213 found 2 high severity vulnerabilities in 1674 scanned packages 2 vulnerabilities require manual review. See the full report for details. [root@redhatdev client]#
完整的审计报告: npm audit --json
{
"actions": [
{
"action": "review",
"module": "dot-prop",
"resolves": [
{
"id": 1213,
"path": "npm>libnpx>update-notifier>configstore>dot-prop",
"dev": true,
"optional": false,
"bundled": true
},
{
"id": 1213,
"path": "npm>update-notifier>configstore>dot-prop",
"dev": true,
"optional": false,
"bundled": true
}
]
}
],
"advisories": {
"1213": {
"findings": [
{
"version": "4.2.0",
"paths": [
"npm>libnpx>update-notifier>configstore>dot-prop",
"npm>update-notifier>configstore>dot-prop"
]
}
],
"id": 1213,
"created": "2019-10-14T17:43:55.291Z",
"updated": "2020-07-29T20:58:02.206Z",
"deleted": null,
"title": "Prototype Pollution",
"found_by": {
"link": "",
"name": "Unknown",
"email": ""
},
"reported_by": {
"link": "",
"name": "Unknown",
"email": ""
},
"module_name": "dot-prop",
"cves": [
"CVE-2020-8116"
],
"vulnerable_versions": "<5.1.1",
"patched_versions": ">=5.1.1",
"overview": "Versions of `dot-prop` before 5.1.1 are vulnerable to prototype pollution. The function `set` does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n",
"recommendation": "Upgrade to version 5.1.1 or later.",
"references": "- [GitHub advisory](https://github.com/advisories/GHSA-ff7x-qrg7-qggm)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-8116)",
"access": "public",
"severity": "high",
"cwe": "CWE-471",
"metadata": {
"module_type": "",
"exploitability": 4,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/1213"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 2,
"critical": 0
},
"dependencies": 61,
"devDependencies": 1612,
"optionalDependencies": 31,
"totalDependencies": 1674
},
"runId": "9b99170c-35c0-44b1-a0e6-8b714069a255"
}
编辑2:
现在我发现了问题。
您在本地更新了npm。(在您的package.json中)
因此,请运行:
npm uninstall npm --save
(在本地卸载)
然后:
npm i npm -g
(在全球而非本地更新npm)
这解决了问题。
编辑:对我来说这似乎是一个npm问题。
这是我所做的:
我有npm版本6.14.6
。
我安装了dot-prop
。
没问题。
我将npm更新为6.14.7
。
2个漏洞。
我跑npm audit fix
了结果fixed 0 of 2 vulnerabilities
。
我跑npm -v
了结果6.14.6
。
所以我认为这是一个问题npm 6.14.7
(和/或与此特殊包装的组合)
原始信息:
你也尝试过npm audit fix
吗?
它还说https://go.npm.me/audit-guide以获得其他指导
您也尝试过吗?
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句