最近在使用npm安装依赖的时候,总会在最后提示
bash
1 | added 50 packages from 61 contributors and audited 7927 packages in 17.609s |
2 | found 7 vulnerabilities (1 low, 1 moderate, 4 high, 1 critical) |
3 | run `npm audit fix` to fix them, or `npm audit` for details |
这是以前从来没有过的事情,按照提示输入npm audit fix
bash
1 | fixed 0 of 7 vulnerabilities in 7927 scanned packages |
2 | 2 package updates for 7 vulns involved breaking changes |
3 | (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually) |
输入npm audit fix --force
bash
1 | added 86 packages from 472 contributors, removed 23 packages and updated 19 packages in 16.606s |
2 | fixed 7 of 7 vulnerabilities in 7927 scanned packages |
3 | 2 package updates for 7 vulns involved breaking changes |
4 | (installed due to `--force` option) |
对于出现这种情况,前往npm官网查询了一波.
npm-audit
Run a security audit
在npm@5.10.0 & npm@6, 允许开发人员分析复杂的代码,并查明特定的漏洞和缺陷
bash
1 | npm audit |
npm@6.1.0 检测项目依赖中的漏洞并自动安装需要更新的有漏洞的依赖,而不必自己再进行跟踪和修复.
bash
1 | npm audit fix |
官网还提供了一些其他的命令
bash
1 | # 以json的格式获取详细的检查报告 |
2 | npm audit --json |
3 | |
4 | # 获取结果中的详细检查报告,以制表符分隔,方便以后在脚本或命令行处理重用 |
5 | npm audit --parseable |
6 | |
7 | # 运行`audit fix`时不修改`node_modules`,仍然更新pkglock |
8 | npm audit fix --package-lock-only |
