如何解决如何修复 npm 审计漏洞 angular 12.0.3
在我创建新的 Angular 12.0.3 项目后,npm audit 立即检测到 8 个高漏洞和 40 个中等漏洞。
# npm audit report
css-what <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1102.14,which is a breaking change
node_modules/css-what
css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/css-select
svgo >=1.0.0
Depends on vulnerable versions of css-select
node_modules/svgo
postcss-svgo >=4.0.0-nightly.2020.1.9
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default *
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano >=4.0.0-nightly.2020.1.9
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
css-minimizer-webpack-plugin *
Depends on vulnerable versions of cssnano
node_modules/css-minimizer-webpack-plugin
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of css-minimizer-webpack-plugin
Depends on vulnerable versions of postcss-preset-env
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1102.14,which is a breaking change
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/webpack-dev-server/node_modules/chokidar
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/webpack-dev-server
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of css-minimizer-webpack-plugin
Depends on vulnerable versions of postcss-preset-env
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
@angular-devkit/build-webpack *
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-webpack
postcss 7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1102.14,which is a breaking change
node_modules/autoprefixer/node_modules/postcss
node_modules/css-blank-pseudo/node_modules/postcss
node_modules/css-has-pseudo/node_modules/postcss
node_modules/css-prefers-color-scheme/node_modules/postcss
node_modules/postcss-attribute-case-insensitive/node_modules/postcss
node_modules/postcss-color-functional-notation/node_modules/postcss
node_modules/postcss-color-gray/node_modules/postcss
node_modules/postcss-color-hex-alpha/node_modules/postcss
node_modules/postcss-color-mod-function/node_modules/postcss
node_modules/postcss-color-rebeccapurple/node_modules/postcss
node_modules/postcss-custom-media/node_modules/postcss
node_modules/postcss-custom-properties/node_modules/postcss
node_modules/postcss-custom-selectors/node_modules/postcss
node_modules/postcss-dir-pseudo-class/node_modules/postcss
node_modules/postcss-double-position-gradients/node_modules/postcss
node_modules/postcss-env-function/node_modules/postcss
node_modules/postcss-focus-visible/node_modules/postcss
node_modules/postcss-focus-within/node_modules/postcss
node_modules/postcss-font-variant/node_modules/postcss
node_modules/postcss-gap-properties/node_modules/postcss
node_modules/postcss-image-set-function/node_modules/postcss
node_modules/postcss-initial/node_modules/postcss
node_modules/postcss-lab-function/node_modules/postcss
node_modules/postcss-logical/node_modules/postcss
node_modules/postcss-media-minmax/node_modules/postcss
node_modules/postcss-nesting/node_modules/postcss
node_modules/postcss-overflow-shorthand/node_modules/postcss
node_modules/postcss-page-break/node_modules/postcss
node_modules/postcss-place/node_modules/postcss
node_modules/postcss-preset-env/node_modules/postcss
node_modules/postcss-pseudo-class-any-link/node_modules/postcss
node_modules/postcss-replace-overflow-wrap/node_modules/postcss
node_modules/postcss-selector-matches/node_modules/postcss
node_modules/postcss-selector-not/node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
autoprefixer 9.0.0 - 9.8.6
Depends on vulnerable versions of postcss
node_modules/autoprefixer
css-blank-pseudo *
Depends on vulnerable versions of postcss
node_modules/css-blank-pseudo
css-has-pseudo *
Depends on vulnerable versions of postcss
node_modules/css-has-pseudo
postcss-preset-env >=6.0.0
Depends on vulnerable versions of css-has-pseudo
Depends on vulnerable versions of css-prefers-color-scheme
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-color-gray
Depends on vulnerable versions of postcss-double-position-gradients
node_modules/postcss-preset-env
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of css-minimizer-webpack-plugin
Depends on vulnerable versions of postcss-preset-env
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
css-prefers-color-scheme *
Depends on vulnerable versions of postcss
node_modules/css-prefers-color-scheme
postcss-attribute-case-insensitive 4.0.0 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-attribute-case-insensitive
postcss-color-functional-notation >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-functional-notation
postcss-color-gray >=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-gray
postcss-color-hex-alpha 4.0.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-hex-alpha
postcss-color-mod-function >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-mod-function
postcss-color-rebeccapurple >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-rebeccapurple
postcss-custom-media 7.0.0 - 7.0.8
Depends on vulnerable versions of postcss
node_modules/postcss-custom-media
postcss-custom-properties 8.0.0 - 10.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-custom-properties
postcss-custom-selectors 5.0.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-custom-selectors
postcss-dir-pseudo-class >=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-dir-pseudo-class
postcss-double-position-gradients *
Depends on vulnerable versions of postcss
node_modules/postcss-double-position-gradients
postcss-env-function >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-env-function
postcss-focus-visible >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-visible
postcss-focus-within >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-within
postcss-font-variant 4.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-font-variant
postcss-gap-properties >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-gap-properties
postcss-image-set-function >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-image-set-function
postcss-initial 3.0.0 - 3.0.4
Depends on vulnerable versions of postcss
node_modules/postcss-initial
postcss-lab-function >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-lab-function
postcss-logical >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-logical
postcss-media-minmax 4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-media-minmax
postcss-nesting 7.0.0 - 7.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-nesting
postcss-overflow-shorthand >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-overflow-shorthand
postcss-page-break 2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-page-break
postcss-place >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-place
postcss-pseudo-class-any-link >=6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-pseudo-class-any-link
postcss-replace-overflow-wrap 3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-replace-overflow-wrap
postcss-selector-matches >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-selector-matches
postcss-selector-not 4.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-selector-not
resolve-url-loader 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
48 vulnerabilities (40 moderate,8 high)
To address issues that do not require attention,run:
npm audit fix
To address all issues (including breaking changes),run:
npm audit fix --force
尝试解决 npm audit fix 的问题时,没有任何变化。
npm audit fix --force 将漏洞减少到 9 个中等和 7 个高度,但是当我尝试运行该项目时,由于 version mismatch:
Schema validation failed with the following errors:
Data path "" must NOT have additional properties(inlineStyleLanguage).
我已经尝试按照 this answer 中描述的解决方案修复漏洞,但这破坏了项目。
此外,我使用 angular-cli 的 v11-lts 创建了一个项目,但由于不同的漏洞出现了相同的问题:
# npm audit report
css-what <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.901.15,which is a breaking change
node_modules/css-what
css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/css-select
svgo >=1.0.0
Depends on vulnerable versions of css-select
node_modules/svgo
postcss-svgo >=4.0.0-nightly.2020.1.9
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default *
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano >=4.0.0-nightly.2020.1.9
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.901.15,which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/webpack-dev-server
@angular-devkit/build-webpack *
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-webpack
postcss 7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.901.15,which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
resolve-url-loader 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
16 vulnerabilities (9 moderate,7 high)
To address all issues (including breaking changes),run:
npm audit fix --force
有没有办法修复所有漏洞?
通过 npm install @angular-devkit/build-angular@latest 更新 @angular-devkit/build-angular 包后,就像在他的 answer 中描述的 imam hulagur 一样,漏洞减少到 2 个(1 个中等,1 个高)。
之后我尝试运行 npm audit 并且以下输出有助于修复另一个漏洞
=== npm audit security report ===
# Run npm update svgo --depth 6 to resolve 1 vulnerability
High Denial of Service
Package css-what
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > css-minimizer-webpack-plugin
> cssnano > cssnano-preset-default > postcss-svgo > svgo >
css-select > css-what
More info https://npmjs.com/advisories/1754
所以现在只剩下一个漏洞了:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack-dev-server >
chokidar > glob-parent
More info https://npmjs.com/advisories/1751
包的路径和版本:
+-- @angular-devkit/build-angular@12.1.0
| +-- copy-webpack-plugin@9.0.0
| | +-- fast-glob@3.2.5
| | | `-- glob-parent@5.1.2 deduped
| | `-- glob-parent@6.0.0
| `-- webpack-dev-server@3.11.2
| `-- chokidar@2.1.8
| `-- glob-parent@3.1.0
`-- @angular/compiler-cli@12.0.4
`-- chokidar@3.5.1
`-- glob-parent@5.1.2
解决方法
您是否尝试将此包更新到最新版本@angular-devkit/build-angular?
npm install @angular-devkit/build-angular@latest
,首先在 package.json 中添加一个你想要修复的依赖版本的字段分辨率,例如:
"resolutions": {
"css-what": "5.0.1"
}
然后将 npm-force-resolutions 添加到预安装脚本中,以便它在每次运行 npm 安装之前修补包锁定文件:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
现在只需像往常一样运行 npm install :
npm 安装
我希望这能帮助您解决该问题。
,执行此操作后,如果出现如下错误。 ENOENT:没有那个文件或目录,打开'./package-lock.json'。
试试这个
"preinstall": "npm install --package-lock-only --ignore-scripts && npx npm-force-resolutions"
有关更多信息,您可以参考这些链接
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。