NodeJs_found 4 vulnerabilities (3 low, 1 critical)_jade相依套件的更新_Jade has been renamed to pug

 Node Js 在新專案中進行npm install 套件安裝時候
頻頻出這個錯




錯誤訊息如下
主因是因為 Jade已經被Rename了

npm WARN deprecated jade@1.11.0: Jade has been renamed to pug, please install the latest version of pug instead of jade
npm WARN deprecated constantinople@3.0.2: Please update to at least constantinople 3.1.1
npm WARN deprecated transformers@2.1.0: Deprecated, use jstransformer




用指令
npm audit
查看套件安全報告
=== npm audit security report === Manual Review Some vulnerabilities require your attention to resolve Visit https://go.npm.me/audit-guide for additional guidance Low Incorrect Handling of Non-Boolean Comparisons During Minification Package uglify-js Patched in >= 2.4.24 Dependency of jade Path jade > transformers > uglify-js More info https://npmjs.com/advisories/39 Low Regular Expression Denial of Service Package uglify-js Patched in >=2.6.0 Dependency of jade Path jade > transformers > uglify-js More info https://npmjs.com/advisories/48 Critical Sandbox Bypass Leading to Arbitrary Code Execution Package constantinople Patched in >=3.1.1 Dependency of jade Path jade > constantinople More info https://npmjs.com/advisories/568 Low Regular Expression Denial of Service Package clean-css Patched in >=4.1.11 Dependency of jade Path jade > clean-css More info https://npmjs.com/advisories/785 found 4 vulnerabilities (3 low, 1 critical) in 158 scanned packages 4 vulnerabilities require manual review. See the full report for details.


可以看到詳細問題都跟jade這個老鼠屎有關
通常只要npm audit出來結果不是長這樣(found 0 vulnerabilities)
就代表專案裡面隱入的套件有一些怪怪的問題

                       === npm audit security report ===

found 0 vulnerabilities
 in 164 scanned packages






後期處理就是針對jade套件刪除並重新安裝pug
即可





Ref:
关于npm audit fix

Vulnerabilities problem using “npm install”

Found 4 vulnerabilities on npm install

留言

這個網誌中的熱門文章

何謂淨重(Net Weight)、皮重(Tare Weight)與毛重(Gross Weight)

Architecture(架構) 和 Framework(框架) 有何不同?_軟體設計前的事前規劃的藍圖概念

經得起原始碼資安弱點掃描的程式設計習慣培養(五)_Missing HSTS Header