pnpm audit
检查已安装包的已知安全问题。
If security issues are found, try to update your dependencies via pnpm update.
If a simple update does not fix all the issues, use overrides to force
versions that are not vulnerable. For instance, if lodash@<2.1.0 is vulnerable,
use this overrides to force lodash@^2.1.0:
{
"pnpm": {
"overrides": {
"lodash@<2.1.0": "^2.1.0"
}
}
}
Or alternatively, run pnpm audit --fix.
If you want to tolerate some vulnerabilities as they don't affect your project, you may use the pnpm.auditConfig.ignoreCves setting.
配置项
--audit-level <severity>
- Type: low, moderate, high, critical
- Default: low
Only print advisories with severity greater than or equal to <severity>.
--fix
Add overrides to the package.json file in order to force non-vulnerable versions of the dependencies.
--json
以 JSON 格式输出审查报告。
--dev, -D
仅审查开发依赖项。
--prod, -P
仅审查生产依赖项。
--no-optional
Don't audit optionalDependencies.
--ignore-registry-errors
如果注册表响应了非 200 状态码,则进程应以 0 退出。 所以只有当注册表真正的成功响应了有发现的漏洞时,该进程才会执行失败。