pnpm audit
检查已安装软件包的已知安全问题。
¥Checks for known security issues with the installed packages.
如果发现安全问题,请尝试通过 pnpm update 更新你的依赖。如果简单的更新无法解决所有问题,请使用 overrides 强制使用不易受攻击的版本。例如,如果 lodash@<2.1.0 容易受到攻击,请使用此覆盖来强制 lodash@^2.1.0:
¥If security issues are found, try to update your dependencies via pnpm update.
If a simple update does not fix all the issues, use overrides to force
versions that are not vulnerable. For instance, if lodash@<2.1.0 is vulnerable,
use this overrides to force lodash@^2.1.0:
{
"pnpm": {
"overrides": {
"lodash@<2.1.0": "^2.1.0"
}
}
}
或者,运行 pnpm audit --fix。
¥Or alternatively, run pnpm audit --fix.
如果你想容忍某些漏洞,因为它们不影响你的项目,你可以使用 pnpm.auditConfig.ignoreCves 设置。
¥If you want to tolerate some vulnerabilities as they don't affect your project, you may use the pnpm.auditConfig.ignoreCves setting.
选项
¥Options
--audit-level <severity>
-
类型:low, moderate, high, critical
¥Type: low, moderate, high, critical
-
默认:low
¥Default: low
仅打印严重性大于或等于 <severity> 的建议。
¥Only print advisories with severity greater than or equal to <severity>.
--fix
将覆盖添加到 package.json 文件以强制使用不易受攻击的依赖版本。
¥Add overrides to the package.json file in order to force non-vulnerable versions of the dependencies.
--json
以 JSON 格式输出审计报告。
¥Output audit report in JSON format.
--dev, -D
仅审核开发依赖。
¥Only audit dev dependencies.
--prod, -P
仅审核生产依赖。
¥Only audit production dependencies.
--no-optional
不审核 optionalDependencies。
¥Don't audit optionalDependencies.
--ignore-registry-errors
如果注册表响应非 200 状态代码,则进程应以 0 退出。因此,仅当注册表实际成功响应发现的漏洞时,该过程才会失败。
¥If the registry responds with a non-200 status code, the process should exit with 0. So the process will fail only if the registry actually successfully responds with found vulnerabilities.