角应用程序中节点模块中的漏洞

Question

在安全扫描中，我们有下面的依赖错误。这些都是粗俗的问题。

  qs
  load-utils

但这些依赖项不在package.json中。我在谷歌上读到过，这可能是间接依赖。如何检查间接依赖关系。有没有办法检查一下。

下面是我的package.json

{
  "name": "infy-02",
  "version": "0.0.0",
  "scripts": {
    "ng": "ng",
    "start": "node app.js",
    "build": "ng build --base-href /finnacle-payment/ ",
    "test": "ng test",
    "lint": "ng lint",
    "e2e": "ng e2e"
  },
  "private": true,
  "dependencies": {
    "@angular/animations": "~8.2.14",
    "@angular/cdk": "~8.2.3",
    "@angular/common": "~8.2.14",
    "@angular/compiler": "~8.2.14",
    "@angular/core": "~8.2.14",
    "@angular/forms": "~8.2.14",
    "@angular/platform-browser": "~8.2.14",
    "@angular/platform-browser-dynamic": "~8.2.14",
    "@angular/router": "~8.2.14",
    "@fortawesome/angular-fontawesome": "^0.5.0",
    "@fortawesome/fontawesome-svg-core": "^1.2.26",
    "@fortawesome/free-solid-svg-icons": "^5.12.0",
    "@grapecity/wijmo.all": "5.20203.748",
    "@grapecity/wijmo.angular2.all": "5.20203.748",
    "ansi-html": "0.0.9",
    "body-parser": "^1.19.0",
    "bootstrap": "^4.5.3",
    "classlist.js": "^1.1.20150312",
    "cookie-parser": "^1.4.4",
    "dd-trace": "2.5.0",
    "engine.io": "4.1.2",
    "express": "^4.17.1",
    "express-session": "^1.17.0",
    "hammerjs": "^2.0.8",
    "helmet": "^3.21.2",
    "ini": "1.3.6",
    "jquery": "3.5.1",
    "jsonwebtoken": "^8.5.1",
    "knex": "^0.20.11",
    "minimatch": "3.0.6",
    "morgan": "^1.9.1",
    "node-forge": "1.0.0",
    "passport": "^0.4.1",
    "passport-github": "^1.1.0",
    "passport-github2": "^0.1.12",
    "passport-oauth2": "^1.5.0",
    "passport-openidconnect": "0.0.2",
    "rxjs": "~6.4.0",
    "socket.io-parser": "3.3.2",
    "tslib": "^1.10.0",
    "wijmo": "5.20203.748",
    "winston": "^3.2.1",
    "xmlhttprequest-ssl": "1.6.3",
    "zone.js": "~0.9.1"
  },
  "devDependencies": {
    "@angular-devkit/build-angular": "~0.803.19",
    "@angular/cli": "~8.3.19",
    "@angular/compiler-cli": "~8.2.14",
    "@angular/language-service": "~8.2.14",
    "@types/node": "~8.9.4",
    "@types/jasmine": "~3.3.8",
    "@types/jasminewd2": "~2.0.3",
    "codelyzer": "^5.0.0",
    "jasmine-core": "~3.4.0",
    "jasmine-spec-reporter": "~4.2.1",
    "karma": "~4.1.0",
    "karma-chrome-launcher": "~2.1.1",
    "karma-coverage-istanbul-reporter": "~2.0.1",
    "karma-jasmine": "~2.0.1",
    "karma-jasmine-html-reporter": "^1.4.0",
    "protractor": "~5.4.0",
    "ts-node": "~7.0.0",
    "tslint": "~5.15.0",
    "typescript": "~3.5.3"
  }
}

我曾尝试在谷歌搜索，但无法理解哪些依赖qs或load-utils依赖。你能帮个忙吗。

Answer 1

您可以直接或间接地要求npm解释为什么需要一个包：

$ npm explain qs

如果这是一种间接依赖，那么你对此无能为力。您必须等待其他包更新它们的依赖项。

但是，您可以更新自己的依赖项。这还将更新间接依赖项。例如，角已经在版本14，而你仍然在使用角8。