作者:清新的淡淡茶绿 | 来源:互联网 | 2022-10-30 10:03
我最近更新了angular使用的版本,ng update
运行npm audit
时发现了1个严重漏洞,但未提供解决建议。通常建议从package.json升级软件包,例如:“ angular-devkit / build-angular”,但我已经在使用其最新版本。
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
我想安装,npm i tar
但不确定。
1> masterfloda..:
angular-cli
relies on node-gyp
, who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714
To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.
2> 小智..:
以下为我工作:
转到node_modules> node_gyp> package.json,然后在依赖项下找到tar并将2.0.0替换为4.4.8。
然后运行:
我
npm审核
npm审核修复
npm审核
您应该看到0个漏洞。
我更新了一些有角度的项目,每个项目都有相同的问题。始终执行上述操作。
这不好。更改本地node_modules始终是一个较差的解决方案,因为您的更改不会反映在全新安装中。