how to fix the npm audit report

问题

When I run npm audit command

=== npm audit security report ===

`Manual Review 

 Some vulnerabilities require your attention to resolve 

 Visit https://go.npm.me/audit-guide for additional guidance `



High          │ Arbitrary File Overwrite                                     

Package       │ tar                                                          
Patched in    │ >=4.4.2                                                       
Dependency of │ @angular-devkit/build-angular [dev]                           
Path          │ @angular-devkit/build-angular > node-sass > node-gyp >tar 
More info     │ https://nodesecurity.io/advisories/803

its saying found 1 high severity vulnerability in 42611 scanned packages 1 vulnerability requires manual review. As its related to @angular-devkit/build-angular, I am afraid whether it will create any other issue in my project.

When I run npm audit fix command

    npm WARN optional SKIPPING OPTIONAL 
    DEPENDENCY:fsevents@1.2.9 (node_modules/fsevents):
    npm WARN notsup SKIPPING OPTIONAL 
    DEPENDENCY:Unsupported platform for 
    fsevents@1.2.9: wanted {"os":"darwin","arch":"any"} 
    (current: {"os":"linux","arch":"x64"})

So how to fix this in any system having linux operating system. Lets consider ignoring the above npm audit fix result,because somehow its an warning. But the result of npm audit is considered as a high severity vulnerability. How to fix this.

Angular CLI Version

      Angular CLI: 7.3.8
      Node: 10.0.0
      OS: linux x64
      Angular: 7.2.14
      ... animations, common, compiler, compiler-cli, core, forms
      ... language-service, platform-browser, platform-browser-dynamic
      ... router

      Package                           Version
      -----------------------------------------------------------
      @angular-devkit/architect         0.13.8
      @angular-devkit/build-angular     0.13.8
      @angular-devkit/build-optimizer   0.13.8
      @angular-devkit/build-webpack     0.13.8
      @angular-devkit/core              7.3.8
      @angular-devkit/schematics        7.3.8
      @angular/cli                      7.3.8
      @ngtools/webpack                  7.3.8
      @schematics/angular               7.3.8
      @schematics/update                0.13.8
      rxjs                              6.3.3
      typescript                        3.2.4
      webpack                           4.29.0

Help me in fixing this. thank you

回答1:

i want trough this. This is what i've done to fix the audit.

The problem is TAR, which is a dependencies of node-gyp.

The solution is here : https://github.com/sass/node-sass/issues/2625 Do what 'mohsenari' has suggested. It worked for me.

For the optional fsevents not supported, it's another story, but it's just a warning, no big deal.

It occurs because fsevents is an optional dependency, used only when project is run on macOS environment (the package provides 'Native Access to Mac OS-X FSEvents').

Source : npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.0.14

回答2:

This vulnerability has been fixed.

Delete the node_modules andpackage-lock.json, then run the commands:

1. npm install
2. npm audit
3. npm audit fix
4. npm audit

Found 0 vulnerabilities will appear, problem fixed.

来源：https://stackoverflow.com/questions/55969040/how-to-fix-the-npm-audit-report