我正在尝试更新Angular 13中的chart.js和ng2图表,但当我安装时:npm Ichart.js@3.7.1和npm ing2-charts@3.0.1我遇到了nmp审核修复无法解决的漏洞,在这种情况下我需要更新任何其他依赖项吗?
up to date, audited 1685 packages in 5s
187 packages are looking for funding
run `npm fund` for details
# npm audit report
@angular/core <11.0.5
Severity: moderate
Cross site scripting in Angular - https://github.com/advisories/GHSA-c75v-2vq8-878f
fix available via `npm audit fix --force`
Will install codelyzer@0.0.28, which is a breaking change
node_modules/codelyzer/node_modules/@angular/core
codelyzer >=1.0.0-beta.0
Depends on vulnerable versions of @angular/core
node_modules/codelyzer
lodash <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
No fix available
node_modules/karma-html-reporter/node_modules/lodash
karma-html-reporter *
Depends on vulnerable versions of lodash
node_modules/karma-html-reporter
terser 5.0.0 - 5.14.1
Severity: high
Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix`
node_modules/@angular-devkit/build-angular/node_modules/terser
@angular-devkit/build-angular 0.1001.0-next.0 - 12.2.17 || 13.0.0-next.0 - 13.3.8 || 14.0.0-next.0 - 14.1.0-rc.3
Depends on vulnerable versions of terser
node_modules/@angular-devkit/build-angular
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/dateformat/node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/dateformat/node_modules/meow
8 vulnerabilities (3 moderate, 4 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
大部分npm"漏洞";可以简单地忽略。
我建议你阅读这篇文章:https://overreacted.io/npm-audit-broken-by-design/