问题1:
audited 1806 packages in 7.655s
49 packages are looking for funding
run `npm fund` for details
found 16 vulnerabilities (3 low, 4 moderate, 9 high)
run `npm audit fix` to fix them, or `npm audit` for details
解决办法1:
运行npm audit fix或者npm audit
又报错,运行npm audit --json打印详细信息
{
"actions": [
{
"action": "review",
"module": "wangeditor",
"resolves": [
{
"id": 876,
"path": "wangeditor",
"dev": false,
"bundled": false,
"optional": false
}
]
},
{
"action": "review",
"module": "minimist",
"resolves": [
{
"id": 1179,
"path": "@antv/l7>@antv/l7-layers>@antv/l7-source>@mapbox/geojson-rewind>sharkdown>minimist",
"dev": false,
"optional": false,
"bundled": false
}
]
}
],
"advisories": {
"876": {
"findings": [
{
"version": "3.1.1",
"paths": [
"wangeditor"
]
}
],
"id": 876,
"created": "2019-05-06T17:53:04.792Z",
"updated": "2019-07-12T16:20:10.969Z",
"deleted": null,
"title": "Cross-Site Scripting",
"found_by": {
"link": "",
"name": "fuxiao1"
},
"reported_by": {
"link": "",
"name": "fuxiao1"
},
"module_name": "wangeditor",
"cves": [],
"vulnerable_versions": ">=0",
"patched_versions": "<0.0.0",
"overview": "All versions of `wangeditor` are vulnerable to Cross-Site Scripting. The package fails to properly encode output, allowing arbitrary JavaScript to be inserted in links and executed by browsers.",
"recommendation": "No fix is currently available. Consider using an alternative module until a fix is made available.",
"references": "- [GitHub Issue](https://github/wangfupeng1988/wangEditor/issues/1945)\n- [Snyk Report](https://snyk.io/vuln/SNYK-JS-WANGEDITOR-174536)",
"access": "public",
"severity": "high",
"cwe": "CWE-79",
"metadata": {
"module_type": "",
"exploitability": 5,
"affected_components": ""
},
"url": "https://npmjs/advisories/876"
},
"1179": {
"findings": [
{
"version": "0.0.5",
"paths": [
"@antv/l7>@antv/l7-layers>@antv/l7-source>@mapbox/geojson-rewind>sharkdown>minimist"
]
}
],
"id": 1179,
"created": "2019-09-23T15:01:43.049Z",
"updated": "2020-03-18T19:41:45.921Z",
"deleted": null,
"title": "Prototype Pollution",
"found_by": {
"link": "https://www.checkmarx/resources/blog/",
"name": "Checkmarx Research Team",
"email": ""
},
"reported_by": {
"link": "https://www.checkmarx/resources/blog/",
"name": "Checkmarx Research Team",
"email": ""
},
"module_name": "minimist",
"cves": [],
"vulnerable_versions": "<0.2.1 || >=1.0.0 <1.2.3",
"patched_versions": ">=0.2.1 <1.0.0 || >=1.2.3",
"overview": "Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an exi
sting property that will exist on all objects. \nParsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the
application. \nThis is exploitable if attackers have control over the arguments being passed to `minimist`.\n",
"recommendation": "Upgrade to versions 0.2.1, 1.2.3 or later.",
"references": "- [GitHub commit 1](https://github/substack/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95)\n- [GitHub commit 2](https://github/substack/minimist/commit/63
e7ed05aa4b1889ec2f3b196426db4500cbda94)",
"access": "public",
"severity": "low",
"cwe": "CWE-471",
"metadata": {
"module_type": "",
"exploitability": 1,
"affected_components": ""
},
"url": "https://npmjs/advisories/1179"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 0,
"high": 1,
"critical": 0
},
"dependencies": 753,
"devDependencies": 1081,
"optionalDependencies": 26,
"totalDependencies": 1835
},
"runId": "a0582b73-2c7a-4f66-889f-bf14c7915028"
}
可以看出是有两个module有问题wangeditor和minimist
"module_name": "wangeditor",
"cves": [],
"vulnerable_versions": ">=0",
"patched_versions": "<0.0.0",
"overview": "All versions of `wangeditor` are vulnerable to Cross-Site Scripting. The package fails to properly encode output, allowing arbitrary JavaScript to be inserted in links and executed by browsers.",
"recommendation": "No fix is currently available. Consider using an alternative module until a fix is made available.",
wangeditor这个模块不可获取,可以考虑替代模块或者等它可以用
= =没办法解决直接忽略
"module_name": "minimist",
"cves": [],
"vulnerable_versions": "<0.2.1 || >=1.0.0 <1.2.3",
"patched_versions": ">=0.2.1 <1.0.0 || >=1.2.3",
"recommendation": "Upgrade to versions 0.2.1, 1.2.3 or later.",
minimist模块升级到版本0.2.1、1.2.3或更高版本
看这里
npm模块的安装、删除和更新
更多推荐
run `npm fund` for details found 16 vulnerabilities
发布评论