【问题标题】:node-sass fstream and tar dependencies vulnerabilitynode-sass fstream 和 tar 依赖漏洞
【发布时间】:2019-10-26 22:22:07
【问题描述】:

这是我在 package-lock.json 中的 node-gyp 依赖项

"node-gyp": {
      "version": "3.8.0",
      "resolved": "http://nexus.prod-admin11.vip.aws1/nexus/content/groups/npm-edmunds/node-gyp/-/node-gyp-3.8.0.tgz",
      "integrity": "sha512-3g8lYefrRRzvGeSowdJKAKyks8oUpLEd/DyPV4eMhVlhJ0aNaZqIrNUIPuEWWTAoPqyFkfGrM67MC69baqn6vA==",
      "dev": true,
      "requires": {
        "fstream": "^1.0.0",
        "glob": "^7.0.3",
        "graceful-fs": "^4.1.2",
        "mkdirp": "^0.5.0",
        "nopt": "2 || 3",
        "npmlog": "0 || 1 || 2 || 3 || 4",
        "osenv": "0",
        "request": "^2.87.0",
        "rimraf": "2",
        "semver": "~5.3.0",
        "tar": "^2.0.0",
        "which": "1"
      },
      "dependencies": {
        "semver": {
          "version": "5.3.0",
          "resolved": "http://nexus.prod-admin11.vip.aws1/nexus/content/groups/npm-edmunds/semver/-/semver-5.3.0.tgz",
          "integrity": "sha1-myzl094C0XxgEq0yaqa00M9U+U8=",
          "dev": true
        }
      }
    },

当我在这个包中运行纱线审计时,我得到了很高的漏洞:

node-sass > node-gyp > tar

node-sass > node-gyp > tar > fstream

node-sass > node-gyp > fstream

【问题讨论】:

    标签: javascript node-sass


    【解决方案1】:

    这两个漏洞都在次要版本中进行了修补。如果您想获取最新版本的依赖项,您可能需要删除锁定文件并重新安装。

    【讨论】:

      猜你喜欢
      • 2018-12-30
      • 2022-01-16
      • 2019-01-12
      • 2018-08-31
      • 2022-12-17
      • 2016-09-15
      • 2018-12-21
      • 1970-01-01
      • 2019-05-08
      相关资源
      最近更新 更多