pnpm audit

설치된 패키지의 알려진 보안 문제를 확인합니다.

보안 문제가 발견되면 pnpm update를 통해 의존성을 업데이트하십시오. If a simple update does not fix all the issues, use overrides to force versions that are not vulnerable. 예를 들어 lodash@<2.1.0 가 취약한 경우 이 override를 사용하여 lodash@^2.1.0를 강제 실행합니다.

pnpm-workspace.yaml

overrides:
  "lodash@<2.1.0": "^2.1.0"

또는 pnpm audit --fix을 실행합니다.

If you want to tolerate some vulnerabilities as they don't affect your project, you may use the auditConfig.ignoreGhsas setting.

Since v11, pnpm audit queries the registry's /-/npm/v1/security/advisories/bulk endpoint. The response does not include CVE identifiers, so advisories are filtered by GitHub advisory ID (GHSA) instead. If you previously listed CVEs under auditConfig.ignoreCves, replace each entry with the corresponding GHSA-xxxx-xxxx-xxxx value (shown in the More info column of pnpm audit output) under auditConfig.ignoreGhsas.

옵션

--audit-level <심각도>

• 유형: low, moderate, high, critical
• 기본값: 낮음

<severity>보다 크거나 같은 심각도의 권고 사항만 출력됩니다.

This can also be set via auditLevel in pnpm-workspace.yaml.

--fix

Add overrides to the pnpm-workspace.yaml file in order to force non-vulnerable versions of the dependencies.

Use --fix=update (added in v11.0.0) to fix vulnerabilities by updating packages in the lockfile instead of adding overrides.

When minimumReleaseAge is set, --fix also adds the minimum patched version of each advisory to minimumReleaseAgeExclude in pnpm-workspace.yaml, so the security fix can be installed without waiting for the release age window.

--interactive, -i

Added in: v11.0.0

Review the advisories selected by --fix and pick which ones to apply. Only usable together with --fix.

--json

JSON 형식으로 검사 보고서를 출력합니다.

--dev, -D

개발 의존성만 검사합니다.

--prod, -P

프로덕션 종속성만 검사합니다.

--no-optional

optionalDependencies은 확인하지 않습니다.

--ignore-registry-errors

레지스트리가 200이 아닌 상태 코드로 응답하면 프로세스가 0으로 종료되어야 합니다. 따라서 레지스트리가 실제로 발견된 취약점에 성공적으로 응답하는 경우에만 프로세스가 실패합니다.

--ignore-unfixable

Added in: v10.11.0

Ignore all advisories with no resolution.

Since v11, unfixable advisories are tracked by GHSA rather than CVE.

--ignore <vulnerability>

Added in: v10.11.0

Ignore a vulnerability by its GitHub advisory ID (GHSA). Before v11 this flag accepted CVE identifiers.

환경설정

auditConfig

auditConfig.ignoreGhsas

A list of GHSA codes that will be ignored by the pnpm audit command.

auditConfig:
  ignoreGhsas:
    - GHSA-42xw-2xvc-qx8m
    - GHSA-4w2v-q235-vp99
    - GHSA-cph5-m8f7-6c5x
    - GHSA-vh95-rmgr-6w4m

Before v11, auditConfig.ignoreCves was used to filter advisories by CVE identifier. That setting is no longer recognized.