pnpm audit
在已安裝的套件中檢查已知的安全性問題。
If security issues are found, try to update your dependencies via pnpm update.
If a simple update does not fix all the issues, use overrides to force
versions that are not vulnerable. For instance, if lodash@<2.1.0 is vulnerable,
use this overrides to force lodash@^2.1.0:
overrides:
"lodash@<2.1.0": "^2.1.0"
Or alternatively, run pnpm audit --fix.
If you want to tolerate some vulnerabilities as they don't affect your project, you may use the auditConfig.ignoreCves setting.
Options
--audit-level <severity>
- Type: low, moderate, high, critical
- Default: low
Only print advisories with severity greater than or equal to <severity>.
--fix
Add overrides to the package.json file in order to force non-vulnerable versions of the dependencies.
--json
以 JSON 格式輸出檢查報告。
--dev, -D
僅檢查開發中 dev 的依賴套件。
--prod, -P
僅檢查實際 production 的依賴套件。
--no-optional
Don't audit optionalDependencies.
--ignore-registry-errors
如果依賴套件registry 以非 Http 狀態碼 200 進行回應,則進程應以 0 退出。 因此,只有在registry已順利回應發現的漏洞時,程序才會退出。
--ignore-unfixable
Added in: v10.11.0
Ignore all CVEs with no resolution.
--ignore <vulnerability>
Added in: v10.11.0
Ignore a vulnerability by CVE.