When I run npm install
it says found 33 vulnerabilities (2 low, 31 moderate)
run `npm audit fix` to fix them, or `npm audit` for details
.
However, npm audit fix
outputs up to date in 11s
fixed 0 of 33 vulnerabilities in 24653 scanned packages
33 vulnerabilities required manual review and could not be updated
Does that review
mean it is not supposed to be fixed by user?
When I run npm audit
it gives me list of tables, similar to this:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ browser-sync > easy-extender > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
In this example remediation section of linked page says Update to version 4.17.5 or later.
. However, in /node_modules/browser-sync/package.json
there are lines:
"devDependencies": {
"lodash-cli": "4.17.5",
}
and no more lodash dependencies. So it should already be v4.17.5. I also checked /node_modules/lodash/lodash.json
which has var VERSION = '4.17.10';
line. In /node_modules/lodash/package.json
there are these lines:
"_from": "lodash@^4.17.4",
"_id": "lodash@4.17.10",
I believe that version shown in "_id", not in "_from", so versions are correct but vulnerability still appear in audit list.
I'm still new in node.js and those messages confuses me a lot. Is there any way to fix it manually or get rid of those messages, I can't do anything with?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…