【发布时间】:2020-09-25 05:40:11
【问题描述】:
我们在 AngularJS 1.x 上有一个 Web 应用程序,它正在创建依赖项问题 -> 依赖库以扫描漏洞。
包.json:
{
"name": "Test",
"dependencies": {
"angular": "1.6.9",
"angular-animate": "1.6.6",
"angular-aria": "1.6.9",
"angular-material": "1.1.9",
"angular-messages": "1.6.9",
"angular-route": "1.6.9",
"angular-touch": "1.6.9",
"angular-ui-router": "0.3.2",
"angular-smart-table": "2.1.8",
"angular-ui-bootstrap": "1.3.3",
"angular-ui-grid": "4.8.3",
"angular-ui-select": "0.12.10",
"uuid": "^3.3.2",
"bootstrap": "3.3.7",
"requirejs": "2.3.6",
"jquery": "3.3.1",
"grunt-cli": "1.3.2",
"grunt": "1.3.0",
"grunt-contrib-uglify": "4.0.1",
"grunt-contrib-jshint": "2.1.0",
"grunt-contrib-requirejs": "1.0.0",
"grunt-contrib-clean": "1.1.0",
"grunt-contrib-copy": "1.0.0",
"grunt-contrib-cssmin": "2.2.1",
"grunt-contrib-concat": "1.0.1",
"grunt-processhtml": "0.4.2",
"grunt-front-end-modules": "1.1.0",
"grunt-karma": "3.0.0",
"underscore": "1.8.3",
"d3": "3.5.17",
"nvd3": "1.8.1",
"angular-file-saver": "1.1.3",
"smart-area": "2.0.0",
"csv-js": "1.0.0",
"pdfmake": "0.1.36",
"file-saver": "1.3.2",
"font-awesome": "4.7.0",
"angular-file-upload": "2.5.0"
}
}
包锁.json
...
"htmlprocessor": {
"version": "0.2.6",
"resolved": "https://artifacts.jpmchase.net:443/artifactory/api/npm/npm/htmlprocessor/-/htmlprocessor-0.2.6.tgz",
"integrity": "sha1-rJ9HfsU3g7jXprZ9e2w1HqXXPTU=",
"requires": {
"lodash": "~2.4.1"
},
"dependencies": {
"lodash": {
**"version": "2.4.2",**
"resolved": "https://artifacts.jpmchase.net:443/artifactory/api/npm/npm/lodash/-/lodash-2.4.2.tgz",
"integrity": "sha1-+t2DS5aDBz2hebPq5tnA0VBT9z4="
}
}
},
...
例如上面的例子 - lodash 需要更新到 4.17.20 来修复漏洞。
我是添加 lodash 作为 devDependency 还是手动更新 package-lock.json ?
注意-package-lock.json 不是作为源代码控制的一部分推送的,但我正在网上研究它应该是
【问题讨论】:
标签: angularjs security npm package.json