【问题标题】:npm_install `1 high severity vulnerability` node version: 12.18.3npm_install `1 高危漏洞` 节点版本:12.18.3
【发布时间】:2020-11-12 06:59:11
【问题描述】:

已将 wss 安装到我的 Node_modules 文件夹中,它还安装了一些名为 istanbul 的东西?这是正常的吗?安装 Wss 时,它安装了 47 个其他软件包。不确定这是否应该发生或是否出现问题。无论如何都尝试更新 package.json 文件,但它给出了一些我不太理解的错误。

终端输出如下:

[letlziml@premium88 ~]$ source /home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/bin/activate && cd /home/letlziml/public_html/0/0/0/0/1/0/1/NodeTest
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g https
ln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
+ https@1.0.0
added 1 package from 1 contributor in 0.457s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g ws
ln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
+ ws@7.3.1
added 1 package from 1 contributor in 0.434s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g wss
ln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
npm WARN deprecated istanbul@0.4.5: This module is no longer maintained, try this instead:
npm WARN deprecated   npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
+ wss@3.3.4
added 47 packages from 148 contributors in 3.006s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g osln: creating symbolic link `/home/letlziml/nodevenv/public_html/0/0/0/0/1/0/1/NodeTest/12/lib/package.json': No such file or directory
+ os@0.1.1
added 1 package from 1 contributor in 0.511s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm init
This utility will walk you through creating a package.json file.
It only covers the most common items, and tries to guess sensible defaults.

See `npm help init` for definitive documentation on these fields
and exactly what they do.

Use `npm install <pkg>` afterwards to install a package and
save it as a dependency in the package.json file.

Press ^C at any time to quit.
package name: (nodetest) ^C
Sorry, name can only contain URL-friendly characters and name can no longer contain capital letters.
package name: (nodetest) npm WARN init canceled
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm int -y

Usage: npm <command>

where <command> is one of:
    access, adduser, audit, bin, bugs, c, cache, ci, cit,
    clean-install, clean-install-test, completion, config,
    create, ddp, dedupe, deprecate, dist-tag, docs, doctor,
    edit, explore, fund, get, help, help-search, hook, i, init,
    install, install-ci-test, install-test, it, link, list, ln,
    login, logout, ls, org, outdated, owner, pack, ping, prefix,
    profile, prune, publish, rb, rebuild, repo, restart, root,
    run, run-script, s, se, search, set, shrinkwrap, star,
    stars, start, stop, t, team, test, token, tst, un,
    uninstall, unpublish, unstar, up, update, v, version, view,
    whoami

npm <command> -h  quick help on <command>
npm -l            display full usage info
npm help <term>   search for help on <term>
npm help npm      involved overview

Specify configs in the ini-formatted file:
    /home/letlziml/.npmrc
or on the command line via: npm <command> --key value
Config info can be viewed via: npm help config

npm@6.14.6 /opt/alt/alt-nodejs12/root/usr/lib/node_modules/npm

Did you mean one of these?
    init
    it
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm init -y
Wrote to /home/letlziml/public_html/0/0/0/0/1/0/1/NodeTest/package.json:

{
  "name": "NodeTest",
  "version": "1.0.0",
  "description": "",
  "main": "app.js",
  "dependencies": {},
  "devDependencies": {},
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}


[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g os
+ os@0.1.1
updated 1 package in 0.377s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g fs
+ fs@0.0.1-security
added 1 package in 0.341s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g url
+ url@0.11.0
added 3 packages from 3 contributors in 0.748s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g util
+ util@0.12.3
added 27 packages from 17 contributors in 2.589s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g path
+ path@0.12.7
added 4 packages from 2 contributors in 0.772s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g http
+ http@0.0.1-security
added 1 package in 0.351s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g https
+ https@1.0.0
updated 1 package in 0.326s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g crypto
npm WARN deprecated crypto@1.0.1: This package is no longer supported. It's now a built-in Node module. If you've depended on crypto, you should switch to the one that's built-in.
+ crypto@1.0.1
added 1 package in 0.327s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g events
+ events@3.2.0
added 1 package from 1 contributor in 0.358s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install -g querystring
+ querystring@0.2.0
added 1 package from 1 contributor in 0.341s
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm init -y
Wrote to /home/letlziml/public_html/0/0/0/0/1/0/1/NodeTest/package.json:

{
  "name": "NodeTest",
  "version": "1.0.0",
  "main": "app.js",
  "dependencies": {},
  "devDependencies": {},
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "description": ""
}


[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm install --save wss
npm WARN deprecated istanbul@0.4.5: This module is no longer maintained, try this instead:
npm WARN deprecated   npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm WARN NodeTest@1.0.0 No description
npm WARN NodeTest@1.0.0 No repository field.

+ wss@3.3.4
added 47 packages from 148 contributors and audited 47 packages in 43.684s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm audit
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/letlziml/.npm/_logs/2020-10-09T14_58_00_189Z-debug.log
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm audit fix
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/letlziml/.npm/_logs/2020-10-09T14_58_24_982Z-debug.log
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm i --package-lock-only
npm WARN NodeTest@1.0.0 No description
npm WARN NodeTest@1.0.0 No repository field.

audited 47 packages in 0.911s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$ npm audit fix
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/letlziml/.npm/_logs/2020-10-09T15_00_00_845Z-debug.log
[public_html/0/0/0/0/1/0/1/NodeTest (12)] [letlziml@premium88 NodeTest]$

按照终端的建议尝试了 npm 审计修复,但它说它需要手动审查?

【问题讨论】:

    标签: node.js bash npm node-modules


    【解决方案1】:

    这里有几个问题。我会尽量涵盖所有内容。

    它还安装了一个叫做 istanbul 的东西?这正常吗?

    是的,这是预期的,istanbulwss 的依赖项。

    它安装了 47 个其他软件包.. 不确定这是否应该发生或是否出了问题

    听起来不错,wss 有 2 个直接依赖项(wsistanbul)。 ws 没有依赖项,但 istanbul 有 14 个。如果继续沿着依赖项链往下走,它应该会添加多达 47 个依赖项。

    按照终端的建议尝试了 npm 审计修复,但它说它需要手动审查?

    2.0.0 到 3.3.0 版本的 ws 依赖项存在安全问题(请参阅下面的审核 sn-p)。不幸的是,wssws 依赖项固定到版本 ^2.3.1(请参阅https://github.com/ivoputzer/wss/blob/master/package.json#L34),因此没有修补兼容版本。这是需要在wss 库中解决的问题。

    $ npm audit
                                                                                    
                           === npm audit security report ===                        
                                                                                    
    ┌──────────────────────────────────────────────────────────────────────────────┐
    │                                Manual Review                                 │
    │            Some vulnerabilities require your attention to resolve            │
    │                                                                              │
    │         Visit https://go.npm.me/audit-guide for additional guidance          │
    └──────────────────────────────────────────────────────────────────────────────┘
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ High          │ Denial of Service                                            │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ ws                                                           │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >= 1.1.5 <2.0.0 || >=3.3.1                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ wss                                                          │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ wss > ws                                                     │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/550                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    found 1 high severity vulnerability in 47 scanned packages
      1 vulnerability requires manual review. See the full report for details.
    

    【讨论】:

      猜你喜欢
      • 2021-09-05
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2021-06-30
      • 2019-11-22
      • 1970-01-01
      • 2016-12-28
      • 2022-01-19
      相关资源
      最近更新 更多