Back to Details

dependency-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependency Audit

依赖项审计

Quick Start

快速开始

Audit dependencies based on project type:
bash
undefined
根据项目类型审计依赖项:
bash
undefined

Node.js

Node.js

npm audit
npm audit

Python

Python

pip-audit
pip-audit

Go

Go

govulncheck ./...
undefined
govulncheck ./...
undefined

Instructions

操作步骤

Step 1: Identify Package Manager

步骤1:识别包管理器

Check for manifest files:
  • package.json
    / 
    package-lock.json
    → npm/yarn
  • requirements.txt
    / 
    pyproject.toml
    → pip
  • go.mod
    → Go modules
  • Cargo.toml
    → Cargo (Rust)
  • Gemfile
    → Bundler (Ruby)
检查清单文件:
  • package.json
    / 
    package-lock.json
    → npm/yarn
  • requirements.txt
    / 
    pyproject.toml
    → pip
  • go.mod
    → Go modules
  • Cargo.toml
    → Cargo (Rust)
  • Gemfile
    → Bundler (Ruby)

Step 2: Run Audit

步骤2:运行审计

Node.js (npm):
bash
npm audit
npm audit --json  # Machine-readable output
Node.js (yarn):
bash
yarn audit
yarn audit --json
Python:
bash
pip install pip-audit
pip-audit
pip-audit -r requirements.txt
Go:
bash
govulncheck ./...
Ruby:
bash
bundle audit check --update
Node.js (npm):
bash
npm audit
npm audit --json  # 机器可读格式输出
Node.js (yarn):
bash
yarn audit
yarn audit --json
Python:
bash
pip install pip-audit
pip-audit
pip-audit -r requirements.txt
Go:
bash
govulncheck ./...
Ruby:
bash
bundle audit check --update

Step 3: Analyze Results

步骤3:分析结果

Categorize by severity:
SeverityCVSSAction
Critical9.0+Update immediately
High7.0-8.9Update within 24h
Moderate4.0-6.9Update this sprint
Low< 4.0Update when convenient
按严重程度分类:
严重程度CVSS处理动作
关键9.0+立即更新
高危7.0-8.924小时内更新
中危4.0-6.9当前迭代内更新
低危< 4.0择机更新

Step 4: Fix Vulnerabilities

步骤4:修复漏洞

npm - Auto-fix:
bash
npm audit fix
npm audit fix --force  # Breaking changes allowed
npm - Manual update:
bash
npm update vulnerable-package
npm - 自动修复:
bash
npm audit fix
npm audit fix --force  # 允许破坏性变更
npm - 手动更新:
bash
npm update vulnerable-package

or specific version

或指定版本

npm install vulnerable-package@2.0.0

**Python - Update package:**
```bash
pip install --upgrade vulnerable-package
npm install vulnerable-package@2.0.0

**Python - 更新包:**
```bash
pip install --upgrade vulnerable-package

or pin safe version in requirements.txt

或在requirements.txt中锁定安全版本

vulnerable-package>=2.0.0
undefined
vulnerable-package>=2.0.0
undefined

Step 5: Verify Fixes

步骤5:验证修复

Re-run audit to confirm:
bash
npm audit  # Should show 0 vulnerabilities
pip-audit  # Should show no issues
重新运行审计确认:
bash
npm audit  # 应显示0个漏洞
pip-audit  # 应无问题

Common Scenarios

常见场景

Transitive Dependencies

传递性依赖

When vulnerability is in a sub-dependency:
bash
undefined
当漏洞存在于子依赖中时:
bash
undefined

Check dependency tree

检查依赖树

npm ls vulnerable-package
npm ls vulnerable-package

Force resolution (npm)

强制版本解析(npm)

Add to package.json:

在package.json中添加:

{ "overrides": { "vulnerable-package": "2.0.0" } }
undefined
{ "overrides": { "vulnerable-package": "2.0.0" } }
undefined

No Fix Available

无可用修复版本

When no patched version exists:
  1. Check if vulnerability affects your usage
  2. Consider alternative packages
  3. Implement workarounds if possible
  4. Monitor for updates
当没有补丁版本时:
  1. 检查漏洞是否影响你的实际使用场景
  2. 考虑替代包
  3. 尽可能实现临时解决方案
  4. 持续监控更新

Breaking Changes

破坏性变更

When fix requires major version bump:
  1. Review changelog for breaking changes
  2. Update code to accommodate changes
  3. Run tests thoroughly
  4. Consider gradual rollout
当修复需要大版本升级时:
  1. 查看变更日志了解破坏性变更内容
  2. 更新代码以适配变更
  3. 全面运行测试
  4. 考虑逐步灰度发布

Report Format

报告格式

markdown
undefined
markdown
undefined

Dependency Audit Report

依赖项审计报告

Project: my-app Date: 2024-01-15 Total Dependencies: 245 Vulnerabilities Found: 3
项目: my-app 日期: 2024-01-15 总依赖数: 245 发现漏洞数: 3

Critical (1)

关键(1个)

lodash - Prototype Pollution
  • Installed: 4.17.15
  • Fixed in: 4.17.21
  • CVE: CVE-2021-23337
  • Fix: 
    npm install lodash@4.17.21
lodash - 原型污染漏洞
  • 已安装版本: 4.17.15
  • 修复版本: 4.17.21
  • CVE: CVE-2021-23337
  • 修复命令: 
    npm install lodash@4.17.21

High (1)

高危(1个)

axios - SSRF Vulnerability
  • Installed: 0.21.0
  • Fixed in: 0.21.2
  • CVE: CVE-2021-3749
  • Fix: 
    npm install axios@0.21.2
axios - SSRF漏洞
  • 已安装版本: 0.21.0
  • 修复版本: 0.21.2
  • CVE: CVE-2021-3749
  • 修复命令: 
    npm install axios@0.21.2

Moderate (1)

中危(1个)

minimist - Prototype Pollution
  • Installed: 1.2.5
  • Fixed in: 1.2.6
  • CVE: CVE-2021-44906
  • Fix: 
    npm audit fix
undefined
minimist - 原型污染漏洞
  • 已安装版本: 1.2.5
  • 修复版本: 1.2.6
  • CVE: CVE-2021-44906
  • 修复命令: 
    npm audit fix
undefined

CI/CD Integration

CI/CD集成

GitHub Actions

GitHub Actions

yaml
- name: Audit dependencies
  run: |
    npm audit --audit-level=high
    # Fails if high or critical vulnerabilities found
yaml
- name: 审计依赖项
  run: |
    npm audit --audit-level=high
    # 若发现高危或关键漏洞则触发失败

Pre-commit

提交前钩子

bash
undefined
bash
undefined

package.json scripts

package.json 脚本

{ "scripts": { "precommit": "npm audit --audit-level=moderate" } }
undefined
{ "scripts": { "precommit": "npm audit --audit-level=moderate" } }
undefined