NodeJs_found 4 vulnerabilities (3 low, 1 critical)_jade相依套件的更新_Jade has been renamed to pug
Node Js 在新專案中進行npm install 套件安裝時候
頻頻出這個錯
錯誤訊息如下
主因是因為 Jade已經被Rename了
npm WARN deprecated jade@1.11.0: Jade has been renamed to pug, please install the latest version of pug instead of jade
npm WARN deprecated constantinople@3.0.2: Please update to at least constantinople 3.1.1
npm WARN deprecated transformers@2.1.0: Deprecated, use jstransformer
用指令
npm audit
查看套件安全報告
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of jade
Path jade > transformers > uglify-js
More info https://npmjs.com/advisories/39
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of jade
Path jade > transformers > uglify-js
More info https://npmjs.com/advisories/48
Critical Sandbox Bypass Leading to Arbitrary Code Execution
Package constantinople
Patched in >=3.1.1
Dependency of jade
Path jade > constantinople
More info https://npmjs.com/advisories/568
Low Regular Expression Denial of Service
Package clean-css
Patched in >=4.1.11
Dependency of jade
Path jade > clean-css
More info https://npmjs.com/advisories/785
found 4 vulnerabilities (3 low, 1 critical) in 158 scanned packages
4 vulnerabilities require manual review. See the full report for details.
可以看到詳細問題都跟jade這個老鼠屎有關
通常只要npm audit出來結果不是長這樣(found 0 vulnerabilities)
就代表專案裡面隱入的套件有一些怪怪的問題
=== npm audit security report ===
found 0 vulnerabilities
in 164 scanned packages
後期處理就是針對jade套件刪除並重新安裝pug
即可
Ref:
关于npm audit fix
Vulnerabilities problem using “npm install”
Found 4 vulnerabilities on npm install
留言
張貼留言