preface

When we install project dependencies in NPM Install, we often see the following vulnerability warnings.

To analyze problems

What does NPM Audit fix do? Why can NPM Audit fix solve the problem? Let’s go to the NPM website to check out a wave.

About the official website:

NPM Audit allows developers to analyze complex code and pinpoint specific vulnerabilities and defects.

NPM Audit Fix detects vulnerabilities in project dependencies and automatically installs the vulnerable dependencies that need to be updated without having to track and fix them themselves.

Of course, there are other commands:

# update package-lock.json only, not node_modules
npm audit fix --package-lock-only

# Do not update development dependencies
npm audit fix --only=prod

Update to the latest dependencies, not just compatible dependencies
npm audit fix --force

Run an audit fix in vain to see what the fix does and output the results in JSON format
npm audit fix --dry-run --json
Copy the code

See the documentation for other commands.

So we know that it analyzes the package-lock.json file and scans our package to see if it contains any vulnerabilities, so is there any way to prevent it from scanning?

To solve the problem

After finding the problem, my first reaction was whether I could turn off the analysis function through configuration.

After reviewing the documentation, we found that NPM Audit can be disabled by configuration. So let’s start by looking at what our configuration is, and through which configuration we manage our analytics capabilities.

# Run the following command to print our NPM config
npm config ls -l
Copy the code

audit = true

We can also see that audit-level = “low” controls the vulnerability risk level.

We can then modify these configurations to turn off audit analysis.

# Set Audit to false to turn off profiling
npm set audit false

Set analysis vulnerability Risk Level to moderate, 'Moderate ',' High ', 'Critical'
npm set audit-level high
Copy the code

Well, the world is quiet, no more of these bug reports ~~~~

However, some friends will worry that my project has a vulnerability and is really attacked (although I think the probability is very small).

Then we can only implement NPM audit fix honestly.

Some friends will say that I have not repaired the execution, what is the reason?

Why executenpm audit fixIt still hasn’t been repaired

That’s because not all dependencies can be updated with NPM commands to resolve vulnerabilities.

For example, some packages are node-gyp third-party dependencies, which cannot be modified by using NPM commands and can only be repaired manually.

Go to node_modules > node_gyp > package.json to find the package you want to update and manually change the package version in package.json to the latest version. Then run NPM Audit Fix.