在 package-lock. json 中定义的依赖项中修复潜在安全漏洞的正确方法

Github 在我的一个存储库中给出了这个错误。

We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security vulnerabilities
and should be updated.

我们的 package.json文件中没有定义依赖项。据我所知,删除 package-lock.json文件并重新生成它并不是一个好的做法。然而,我找不到任何其他方法来解决这个问题。如果我忽略这个安全漏洞,它将在几天后再次出现。有什么想法吗?谢谢!

52781 次浏览
小开

To my understanding it isn't good practice to delete the package-lock.json file and regenerate it.

Yet, this is what is usually done in this instance.
See for example angular/angular-cli issue 8534, which is resolved by PR 8535.
That leads a dependent project like frees-io/freestyle-opscenter-webclient to update its package-lock.json: PR 31.

小开
最佳答案

New: now, with npm@6 you can directly run

npm audit fix

Old answer:

You should try to identify the problematic package's name, and then run

npm install package-name

replacing package-name, obviously.

This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:

npm install package-name@^1.2

and the latest patched version will be installed

小开

To resolve this:

Solution1: First find the vulnerability:Using your terminal: cd into your project, then run "npm ls hoek"

And finally: npm install bcrypt@latest

Then push the updated project to git.(i.e perform a fresh commit).

Solution 2:

if the first option/solution does not resolve the issue.Change the version manually in your package-lock.json. Change your version manually from 2.16.3 to 4.2.1

"hoek": {
"version":  "4.2.1",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz",
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
"dev": true

Then update your project on GitHub(commit/push) Just make sure every hoek version occurrence in your package-lock.json version is changed to 4.2.1

Alternatively if you can figure out a way to change the hoek version/update hoek using npm,will make things much simpler.(something like : npm update @hoek..version)..or uninstall the specific dependency then reinstall it using bower or npm.

小开

The simplest/easiest way to fix this is:

  1. npm install <dep>
  2. npm uninstall <dep>
  3. npm update
  4. npm install

From: https://github.com/Microsoft/vscode/issues/48783#issuecomment-384873041

小开

known security vulnerabilities and should be updated.

Since May 23rd, 2019, you now have "Dependabot: Automated security fixes"

Through the integration of Dependabot, we’ve released automated security fixes as a public beta.

Automated security fixes are pull requests generated by GitHub to fix security vulnerabilities.
They automate a tedious part of the workflow and make it easy for developers to keep their dependencies up to date.

See more at "Configuring automated security fixes"

Note: Automatic security fixes are available in beta and are subject to change.

You can enable automatic security fixes for any repository that uses security alerts and the dependency graph.
We'll automatically enable automatic security fixes in every repository that uses security alerts and the dependency graph over the next few months, starting in May 2019.

小开

This works for me. uninstall all of your dependencies and install it again

For example

from package.json see list of your dependencies

{
"name": "ebook-saler",
"version": "1.0.0",
"description": "App for selling ebooks",
"main": "app.js",
"scripts": {
"start": "node app.js"
},
"author": "Md Shayon",
"license": "ISC",
"dependencies": {
"body-parser": "^1.19.0",
"express": "^4.17.1",
"express-handlebars": "^3.1.0",
"hoek": "^6.1.3",
"stripe": "^7.5.0"
}
}

Follow the command for this

npm uninstall body-parser express express-handlebars hoek stripe
npm install body-parser express express-handlebars hoek stripe
git commit -m "updated"
git push
小开
  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click Security.
  3. Click the alert you'd like to view.
  4. Review the details of the vulnerability and, if available, the pull request containing the automated security fix.
  5. Optionally, if there isn't already an automated security fix for the alert, to create a pull request to resolve the vulnerability, click Create automated security fix.
  6. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.

See details

小开

I was having the same issue with a lodash security vulnerability, in a project I was building with yarn. Github flagged these as security concerns.

I tried the answer from @rileymanda above, using a terminal: cd into project, then run npm ls lodash.

This uncovered that in my case, the error was in react-scripts. Quick Google for issues with react-scripts and lodash uncovered that this was a known issue.

I tried various things to fix via yarn - all with no success. npm ls lodash still showed the vulnerable version of lodash in use.

Having read Matt Turnbull's blog about improvements to npm I switched from yarn back to npm. (Delete yarn.lock, delete ./node_modules. Run npm install). npm ls lodash now showed the latest dependency versions being used - hurrah! Committed to github, and it was now happy that the vulnerability had gone.

It looks like yarn may be struggling to unpick such issues (or isn't intended to).

If you're getting this issue when building with yarn, then try switching [back] to npm!

小开

try npm audit fix, it will solve many warnings

then npm i [package.name]@xxx

for example:

"dependencies": {
"lodash": ">=4.17.13"
}

npm i lodash@4.17.13


提交答案