P. *_*uhn 24 github node.js npm angular
我最近将一个Angular CLI 5应用程序推送到GitHub,它指出了以下内容:
We found a potential security vulnerability in one of your dependencies.
A dependency defined in net-incident/package-lock.json has known security vulnerabilities and should be updated.
Dependencies defined in net-incident/package-lock.json 816
hapijs / hoek Known security vulnerability in 2.16.3
我已经完成了'npm audit'的输出并执行了各种更新,包括以下内容(未提示):
npm install --save-dev request@2.86.0
'request'包中包含'hawk',其中包含'hoek'.当我查看node_modules中的'request'包时,版本已更改.但是来自'npm audit'的以下两个更新似乎没有做任何事情:
npm update fsevents --depth 4 npm update stringstream --depth 5
我留下以下内容:
[!] 33 vulnerabilities found [12201 packages audited]
Severity: 5 Low | 24 Moderate | 4 High
Run `npm audit` for more detail
许多漏洞如下:
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of karma
Path karma > log4js > loggly > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
最后,应用程序无法编译,所以我更换了包和锁定文件,现在我回到了开头.我真的想解决安全问题.如何摆脱讨厌的'hoek'漏洞?