在我的文件中package.json,我将 gulp 列为我的依赖项之一。
{
"name": "myproject",
"devDependencies": {
"gulp": "^4.0.2"
// other stuff
}
}
当我运行时npm i,我收到一条消息,存在中等安全漏洞。所以我npm audit这样做了,我明白了
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > glob-watcher > chokidar > glob-parent
More info https://npmjs.com/advisories/1751
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-stream > glob-parent
More info https://npmjs.com/advisories/1751
found 2 moderate severity vulnerabilities in 751 scanned packages
2 vulnerabilities require manual review. See the full report for details.
所以我认为这只是将 gulp 版本更改为(可能)修补的最高版本的问题。不过好像这已经是最高版本了,那漏洞怎么办呢?
我在 youtube 上找到了一个真正的解决方案: https: //youtu.be/d5vfi-l4KWQ
您需要更新package.json文件以使用导致问题的更新版本的存储库覆盖软件包配置
{
...
"overrides": {
"glob-parent": "6.0.2"
}
}
| 归档时间: |
|
| 查看次数: |
4885 次 |
| 最近记录: |