5

我们切换到最新版本 (21) 的 cloud-s4-sdk-pipeline。新功能有效,但除了最新的依赖版本外,我们还会遇到npm 依赖审计错误。

调查结果摘要

•  High Arbitrary File Overwrite vulnerability found in dependency "tar", see https://npmjs.com/advisories/803 for details.
•  High Code Injection vulnerability found in dependency "js-yaml", see https://npmjs.com/advisories/813 for details.
•  Moderate Regular Expression Denial of Service vulnerability found in dependency "mime", see https://npmjs.com/advisories/535 for details.
•  Moderate Regular Expression Denial of Service vulnerability found in dependency "underscore.string", see https://npmjs.com/advisories/745 for details.
•  Moderate Prototype Pollution vulnerability found in dependency "lodash", see https://npmjs.com/advisories/782 for details.
•  Moderate Denial of Service vulnerability found in dependency "js-yaml", see https://npmjs.com/advisories/788 for details.

你有过类似的问题吗?有可用的解决方案吗?

4

1 回答 1

1

从 v20 到 v21 的主要变化之一是我们现在正在审核我们可以在您的项目中找到的所有 package.json 文件(对于 whitesource 扫描也是如此)。

我假设您的项目就是这种情况,因此会弹出新的审计结果。

我建议您npm audit --fix在 package.json 的目录中本地执行并提交生成的 package-lock.json。如果这也不能解决您的问题,最后一个解决方案是在 pipeline_config.yaml 中将这些 npm 审计问题标记为“已审计”,如此处所述

于 2019-07-03T07:05:46.110 回答