pnpm audit
查看已安裝模組的已知安全問題。
如果發現了安全性問題,請您嘗試透過 pnpm update
命令更新依賴套件。 如果簡單的更新沒有辦法解決所有問題,請使用 overrides 來強制使用沒有漏洞的版本。 例如,如果 lodash@<2.1.0
存在漏洞,可以用 overrides
來強制使用 lodash@^2.1.0
:
{
"pnpm": {
"overrides": {
"lodash@<2.1.0": "^2.1.0"
}
}
}
或者,執行 pnpm audit --fix
。
If you want to tolerate some vulnerabilities as they don't affect your project, you may use the pnpm.auditConfig.ignoreCves
setting.
參數
--audit-level <severity>
- 類型: low, moderate, high, critical
- 預設: low
Only print advisories with severity greater than or equal to <severity>
.
--fix
Add overrides to the package.json
file in order to force non-vulnerable versions of the dependencies.
--json
Output audit report in JSON format.
--dev, -D
Only audit dev dependencies.
--prod, -P
Only audit production dependencies.
--no-optional
Don't audit optionalDependencies
.
--ignore-registry-errors
If the registry responds with a non-200 status code, the process should exit with 0. So the process will fail only if the registry actually successfully responds with found vulnerabilities.