从web/themes/custom/cp_bootstrap4目录npm运行命令npm install laravel-mix cross-env --save-dev,显示ubuntu 18.04 LTS 中的严重性漏洞Laravel
added 744 packages from 474 contributors and audited 745 packages in 90.492s
found 1 moderate severity vulnerability
我试过命令
1. npm audit fix
2. npm audit fix --force
但1严重性漏洞未解决。
上述命令的输出
npm audit security report
Manual Review
Some vulnerabilities require your attention to resolve
Moderate file-type vulnerable to Infinite Loop via malformed MKV file
Package file-type
Patched in >=16.5.4
Dependency of laravel-mix [dev]
Path laravel-mix > imagemin > file-type
我的子主题包.json
{
"name": "cp_bootstrap4",
"version": "1.0.0",
"description": "[Bootstrap 4](https://www.drupal.org/project/bootstrap4) subtheme.",
"main": "index.js",
"scripts": {
"test": "echo "Error: no test specified" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"devDependencies": {
"cross-env": "^7.0.3",
"laravel-mix": "^6.0.49"
}
}
请建议我解决这个问题!
尝试在你的package.json中添加一个覆盖,这意味着它将用另一个版本替换依赖树中的一个包。
有漏洞的程序包是文件类型的,但npm说你必须更新依赖程序包(有漏洞的软件包>依赖程序包>(,所以你必须更新imagemin。
似乎拉拉威尔混合还没有解决这个问题,但解决方案已经准备好了。检查此URL:https://snyk.io/test/npm/laravel-mix/6.0.20#SNYK-JS-FILETYPE-2958042
尝试在你的包上使用此代码.json
{
"name": "cp_bootstrap4",
"version": "1.0.0",
"description": "[Bootstrap 4](https://www.drupal.org/project/bootstrap4) subtheme.",
"main": "index.js",
"scripts": {
"test": "echo "Error: no test specified" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"devDependencies": {
"cross-env": "^7.0.3",
"laravel-mix": "^6.0.49"
},
"overrides": {
"laravel-mix": {
"imagemin": "^8.0.1"
}
}
}