我有一个 nuxt 项目,我试图安装 nuxt auth 但每次安装这个包时,都会出现这个 Axios 跨站请求伪造漏洞。这是我的 package.json 文件:
{
"name": "nuxt-app",
"private": true,
"type": "module",
"scripts": {
"build": "nuxt build",
"dev": "nuxt dev",
"generate": "nuxt generate",
"preview": "nuxt preview",
"postinstall": "nuxt prepare"
},
"dependencies": {
"@mdi/font": "^7.4.47",
"@nuxtjs/auth-next": "^5.0.0-1667386184.dfbbb54",
"axios": "^1.6.8",
"nuxt": "^3.10.3",
"vue": "^3.4.21",
"vue-router": "^4.3.0"
},
"devDependencies": {
"sass": "^1.71.1",
"vite-plugin-vuetify": "^2.0.3",
"vuetify": "^3.5.9"
}
}
我在网上搜索了解决方法,发现解决这个问题的方法是安装 axios 版本 >= 1.6.0。所以我安装了最新的axios版本,但问题仍然存在。我检查了安装的版本是否高于或等于 1.6.0,并且它位于 package.json 文件中,并输入以下命令:
npm listnpm audit fix --forceNPM 审计报告提到了此漏洞。
列出嵌套
axiosnpm list axios@nuxtjs/auth-next@nuxtjs/axios+-- @nuxtjs/[email protected]
| +-- @nuxtjs/[email protected]
| | `-- [email protected]
| `-- [email protected]
+-- [email protected]
`-- [email protected]
`-- @nuxt/[email protected]
`-- @vue/[email protected]
`-- @vue/[email protected]
`-- @vueuse/[email protected]
`-- [email protected] deduped
目的是消除对项目
axios[email protected]这需要将
overrides "overrides": {
"@nuxtjs/auth-next": {
"axios": "$axios",
"@nuxtjs/axios": {
"axios": "$axios"
}
}
}
并通过删除
package-lock.jsonnode_modulesnpm inpm list axios+-- @nuxtjs/[email protected] overridden
| +-- @nuxtjs/[email protected] overridden
| | `-- [email protected] deduped <--
| `-- [email protected] deduped <--
+-- [email protected]
`-- [email protected]
`-- @nuxt/[email protected]
`-- @vue/[email protected]
`-- @vue/[email protected]
`-- @vueuse/[email protected]
`-- [email protected] deduped