npm在ubuntu 18.04 LTS中显示严重漏洞Laravel

Question

在web/ npm install laravel-mix cross-env --save-dev /定制/cp_bootstrap4目录中运行命令npm显示了ubuntu18.04lts中的严重漏洞Laravel

added 744 packages from 474 contributors and audited 745 packages in 90.492s
found 1 moderate severity vulnerability

我试过命令

1. npm audit fix 
2. npm audit fix --force 

但是有一个严重的漏洞没有解决。

上述命令的输出

npm audit security report
Manual Review
Some vulnerabilities require your attention to resolve                                                               
Moderate       file-type vulnerable to Infinite Loop via malformed MKV file
Package        file-type
Patched in     >=16.5.4
Dependency of  laravel-mix [dev]
Path           laravel-mix > imagemin > file-type

我的副主题package.json

{
  "name": "cp_bootstrap4",
  "version": "1.0.0",
  "description": "[Bootstrap 4](https://www.drupal.org/project/bootstrap4) subtheme.",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "devDependencies": {
    "cross-env": "^7.0.3",
    "laravel-mix": "^6.0.49"
  }
}

请建议我解决这个问题！

Answer 1

尝试在package.json中添加一个覆盖，这意味着它将用另一个版本替换依赖树中的包。

具有漏洞的包是文件类型的，但npm表示必须更新依赖包(package>dependent-package>package-with-vulnerabilities)，，因此必须更新imagemin。

看来拉拉维尔混合公司还没有解决这一问题，但解决方案都已就绪。检查这个网址：https://snyk.io/test/npm/laravel-mix/6.0.20#SNYK-JS-FILETYPE-2958042

在您的package.json上尝试使用以下代码

{
    "name": "cp_bootstrap4",
    "version": "1.0.0",
    "description": "[Bootstrap 4](https://www.drupal.org/project/bootstrap4) subtheme.",
    "main": "index.js",
    "scripts": {
        "test": "echo \"Error: no test specified\" && exit 1"
    },
    "keywords": [],
    "author": "",
    "license": "ISC",
    "devDependencies": {
        "cross-env": "^7.0.3",
        "laravel-mix": "^6.0.49"
    },
    "overrides": {
        "laravel-mix": {
            "imagemin": "^8.0.1"
        }
    }
}