問題出現:
在通過 `ng new hello-world` 命令新建項目時,項目出現以下警告:
found 1 high severity vulnerability run `npm audit fix` to fix them, or `npm audit` for details
命令分析:
掃描項目中的漏洞並自動將任何兼容的更新安裝到易受攻擊的依賴項:
$ npm audit fix [--force]
掃描項目中的漏洞並顯示詳細信息,而無需修復任何內容:
$ npm audit
以 JSON 格式獲取詳細的審計報告:
$ npm audit --json
未解決過程:
1.運行命令 `npm audit fix --force` 后出現提示:
fixed 0 of 1 vulnerability in 42611 scanned packages 1 vulnerability required manual review and could not be updated
2.運行命令 `npm audit --json` 獲取審計結果:
npm audit --json { "actions": [ { "action": "review", "module": "tar", "resolves": [ { "id": 803, "path": "@angular-devkit/build-angular>node-sass>node-gyp>tar", "dev": true, "optional": true, "bundled": false } ] } ], "advisories": { "803": { "findings": [ { "version": "2.2.1", "paths": [ "@angular-devkit/build-angular>node-sass>node-gyp>tar" ], "dev": true, "optional": true, "bundled": false } ], "id": 803, "created": "2019-04-04T03:31:56.572Z", "updated": "2019-04-12T15:52:56.353Z", "deleted": null, "title": "Arbitrary File Overwrite", "found_by": { "link": "", "name": "Max Justicz" }, "reported_by": { "link": "", "name": "Max Justicz" }, "module_name": "tar", "cves": [], "vulnerable_versions": "<4.4.2", "patched_versions": ">=4.4.2", "overview": "Versions of `tar` prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.", "recommendation": "Upgrade to version 4.4.2 or later.", "references": "- [HackerOne Report](https://hackerone.com/reports/344595)", "access": "public", "severity": "high", "cwe": "CWE-59", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/803" } }, "muted": [], "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 0, "high": 1, "critical": 0 }, "dependencies": 21, "devDependencies": 42590, "optionalDependencies": 2091, "totalDependencies": 42611 }, "runId": "8e446833-64cb-4b92-8bf0-f297c6ce45ab" }
從打印結果中發現,node-gyp 依賴的 tar 包的版本過低,需要設置到 4.4.2 及以上版本。參考:https://www.npmjs.com/advisories/803
3.關於 node-gyp。
GYP,Generate Your Projects,一個 google 開源的構建系統,最開始用於 Chromium 項目,現在一些其他的開源項目也開始使用 GYP,如 V8 和 node-gyp。參考:http://erikge.com/articles/HelloGyp/
4.暫時用不到 node-gyp,挖好再填。