问题描述

配置hexo的时候遇到如下的警告信息，

found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

虽然不影响程序运行，但是看着就不爽，这种平时跑项目也经常遇到，所以干脆好好研究一下：

根据它的提示输入 npm audit fix 有时候能解决部分问题，大多数时候并没啥卵用

再输入 npm audit，打印如下：

                       === npm audit security report ===                        
                                                                                
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  Low             Regular Expression Denial of Service                          
                                                                                
  Package         clean-css                                                     
                                                                                
  Patched in      >=4.1.11                                                      
                                                                                
  Dependency of   hexo-renderer-pug                                             
                                                                                
  Path            hexo-renderer-pug > pug > pug-filters > clean-css             
                                                                                
  More info       https://npmjs.com/advisories/785                              
                                                                                
found 1 low severity vulnerability in 9977 scanned packages
  1 vulnerability requires manual review. See the full report for details.

我并没有安装clean-css啊

我去npm看一下hexo-renderer-pug包的依赖，有一个依赖 1 Dependencies pug，一直找，刚好是上面打印信息里的Path

所以重点关注 Dependency of hexo-renderer-pug，不是版本高了，就是版本低了，然后降低一个版本就好了

npm i hexo-renderer-pug@0.0.3