4

首先,我在运行时收到以下消息npm audit

updated 1 package and audited 381 packages in 1.767s
found 1 moderate severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details
→ weatherApp npm audit

                      === npm audit security report ===

┌────────────────────────────────────────────────────────────────────────────┐
│                               Manual Review                                │
│           Some vulnerabilities require your attention to resolve           │
│                                                                            │
│         Visit https://go.npm.me/audit-guide for additional guidance        │
└────────────────────────────────────────────────────────────────────────────┘

┌───────────────┬────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                          │
├───────────────┼────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                      │
├───────────────┼────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.18.1                                                   │
├───────────────┼────────────────────────────────────────────────────────────┤
│ Dependency of │ nominatim-geocoder                                         │
├───────────────┼────────────────────────────────────────────────────────────┤
│ Path          │ nominatim-geocoder > axios                                 │
├───────────────┼────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/880                           │
└───────────────┴────────────────────────────────────────────────────────────┘

found 1 moderate severity vulnerability in 381 scanned packages
  1 vulnerability requires manual review. See the full report for details.
→ weatherApp █

打字npm audit fix也无济于事:

fixed 0 of 1 vulnerability in 381 scanned packages
1 vulnerability required manual review and could not be updated

https://npmjs.com/advisories/880上,他们建议将axios版本升级到>=0.18.1. 但是,在我package.json的版本中是^0.19.0.

包.json

...
"dependencies": {
  "axios": "^0.19.0",
  "body-parser": "^1.19.0",
  "ejs": "^3.0.1",
  "epxress": "0.0.1-security",
  "express": "^4.17.1",
  "nodemon": "^2.0.1",
  "nominatim-geocoder": "^0.1.4",
  "request": "^2.88.0"
}
...

因此,我尝试手动升级axiosin 的版本,package-lock.json因为它仍然显示0.16.1.

包锁.json

"nominatim-geocoder": {
  "version": "0.1.4",
  "resolved": "https://registry.npmjs.org/nominatim-geocoder/-/nominatim-geocoder-0.1.4.tgz",
  "integrity": "sha1-7o8I+CZq0tL5zYfdQhzCdmtRF78=",
  "requires": {
    "axios": "^0.16.1",
    "lru": "^3.1.0",
    "promise-queue": "^2.2.3",
    "sha1": "^1.1.1"
  },
  "dependencies": {
    "axios": {
      "version": "0.16.2",
      "resolved": "https://registry.npmjs.org/axios/-/axios-0.16.2.tgz",
      "integrity": "sha1-uk+S8XFn37q0CYN4VFS5rBScPG0=",
      "requires": {
        "follow-redirects": "^1.2.3",
        "is-buffer": "^1.1.5"
      }

...到版本0.19.0。然而,这并没有帮助......有什么建议吗?

4

0 回答 0