填坑时间
-启动项目时出出错- 报错信息
found 14 vulnerabilities (5 low, 3 moderate, 6 high) run `npm audit fix` to fix them, or `npm audit` for ...//信息显示有14个漏洞
npm audit fix //自行修复,还有一些漏洞还是不能修复npm audit fix --force //强制修复,会自动安装需要的npm包- 顽固不灵的还有一个要手动修复,显示``
fixed 11 of 12 vulnerabilities in 5918 scanned packages
1 vulnerability required manual review and could not
5 package updates for 11 vulnerabilities involved bre
(installed due to `--force` option)
npm audit,看看是什么玩意要手动修复,clean-css这个包
=== npm audit security report ==
Manual Review
Some vulnerabilities require your attentio
Visit https://go.npm.me/audit-guide for addit
Low Regular Expression Denial of Service
Package clean-css
More info https://npmjs.com/advisories/785
found 1 low severity vulnerability in 8340 scanned packages
1 vulnerability requires manual review. See the full report for detai...
npm install --save-dev clean-css,命令行手动安装
+ clean-css@4.2.3
updated 1 package and audited 8342 packages in 9.94s
9 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
这里我就很疑问,已经安装了还是不行
npm audit -json,
//clean-css的版本太低了,可是我已经update了
"module_name": "clean-css",
"cves": [],
"vulnerable_versions": "<4.1.11",
"patched_versions": ">=4.1.11",
"overview": "Version of `clean-css` prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may
cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.",
"recommendation": "Upgrade to version 4.1.11 or higher.",
"references": "- [GitHub Commit](https://github.com/jakubpawlowicz/clean-css/commit/2929bafbf8cdf7dccb24e0949c70833764fa87e3)",...
- 最后一步是在根目录下的
package-lock.json,将clean-css的版本号改成最新的,我的是4.2.3,对应的全部都要改 npm audit,大功告成!!!
=== npm audit security report ===
found 0 vulnerabilities
in 8342 scanned packages
