我已經更新了 angular cli 并創建了一個帶有路由和 scss 的新專案。
當我運行 npm install 我看到:
41 vulnerabilities (4 low, 37 moderate)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
我使用了第一個命令npm audit fix,它向我展示了這個:
up to date, audited 985 packages in 5s
90 packages are looking for funding
run `npm fund` for details
# npm audit report
node-forge <1.0.0
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/node-forge
selfsigned >=1.1.1
Depends on vulnerable versions of node-forge
node_modules/selfsigned
webpack-dev-server >=2.5.0
Depends on vulnerable versions of selfsigned
node_modules/webpack-dev-server
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of postcss-preset-env
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
@angular-devkit/build-webpack *
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-webpack
postcss <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/autoprefixer/node_modules/postcss
node_modules/css-blank-pseudo/node_modules/postcss
node_modules/css-has-pseudo/node_modules/postcss
node_modules/css-prefers-color-scheme/node_modules/postcss
node_modules/postcss-attribute-case-insensitive/node_modules/postcss
node_modules/postcss-color-functional-notation/node_modules/postcss
node_modules/postcss-color-gray/node_modules/postcss
node_modules/postcss-color-hex-alpha/node_modules/postcss
node_modules/postcss-color-mod-function/node_modules/postcss
node_modules/postcss-color-rebeccapurple/node_modules/postcss
node_modules/postcss-custom-media/node_modules/postcss
node_modules/postcss-custom-properties/node_modules/postcss
node_modules/postcss-custom-selectors/node_modules/postcss
node_modules/postcss-dir-pseudo-class/node_modules/postcss
node_modules/postcss-double-position-gradients/node_modules/postcss
node_modules/postcss-env-function/node_modules/postcss
node_modules/postcss-focus-visible/node_modules/postcss
node_modules/postcss-focus-within/node_modules/postcss
node_modules/postcss-font-variant/node_modules/postcss
node_modules/postcss-gap-properties/node_modules/postcss
node_modules/postcss-image-set-function/node_modules/postcss
node_modules/postcss-initial/node_modules/postcss
node_modules/postcss-lab-function/node_modules/postcss
node_modules/postcss-logical/node_modules/postcss
node_modules/postcss-media-minmax/node_modules/postcss
node_modules/postcss-nesting/node_modules/postcss
node_modules/postcss-overflow-shorthand/node_modules/postcss
node_modules/postcss-page-break/node_modules/postcss
node_modules/postcss-place/node_modules/postcss
node_modules/postcss-preset-env/node_modules/postcss
node_modules/postcss-pseudo-class-any-link/node_modules/postcss
node_modules/postcss-replace-overflow-wrap/node_modules/postcss
node_modules/postcss-selector-matches/node_modules/postcss
node_modules/postcss-selector-not/node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
autoprefixer 1.0.20131222 - 9.8.8
Depends on vulnerable versions of postcss
node_modules/autoprefixer
postcss-preset-env <=7.0.0
Depends on vulnerable versions of autoprefixer
Depends on vulnerable versions of css-blank-pseudo
Depends on vulnerable versions of css-prefers-color-scheme
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-color-gray
Depends on vulnerable versions of postcss-color-mod-function
Depends on vulnerable versions of postcss-double-position-gradients
Depends on vulnerable versions of postcss-focus-visible
Depends on vulnerable versions of postcss-focus-within
Depends on vulnerable versions of postcss-initial
Depends on vulnerable versions of postcss-page-break
node_modules/postcss-preset-env
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of postcss-preset-env
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
css-blank-pseudo <=1.0.0
Depends on vulnerable versions of postcss
node_modules/css-blank-pseudo
css-has-pseudo <=1.0.0
Depends on vulnerable versions of postcss
node_modules/css-has-pseudo
css-prefers-color-scheme <=4.0.0
Depends on vulnerable versions of postcss
node_modules/css-prefers-color-scheme
postcss-attribute-case-insensitive <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-attribute-case-insensitive
postcss-color-functional-notation <=3.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-color-functional-notation
postcss-color-gray >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-gray
postcss-color-hex-alpha 1.3.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-hex-alpha
postcss-color-mod-function *
Depends on vulnerable versions of postcss
node_modules/postcss-color-mod-function
postcss-color-rebeccapurple 1.2.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-rebeccapurple
postcss-custom-media 4.0.0 - 7.0.8
Depends on vulnerable versions of postcss
node_modules/postcss-custom-media
postcss-custom-properties 3.3.0 - 10.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-custom-properties
postcss-custom-selectors 2.3.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-custom-selectors
postcss-dir-pseudo-class <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-dir-pseudo-class
postcss-double-position-gradients <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-double-position-gradients
postcss-env-function <=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-env-function
postcss-focus-visible <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-visible
postcss-focus-within <=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-within
postcss-font-variant 1.2.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-font-variant
postcss-gap-properties <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-gap-properties
postcss-image-set-function <=3.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-image-set-function
postcss-initial <=3.0.4
Depends on vulnerable versions of postcss
node_modules/postcss-initial
postcss-lab-function <=3.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-lab-function
postcss-logical <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-logical
postcss-media-minmax 1.2.0 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-media-minmax
postcss-nesting <=7.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-nesting
postcss-overflow-shorthand <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-overflow-shorthand
postcss-page-break <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-page-break
postcss-place <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-place
postcss-pseudo-class-any-link <=6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-pseudo-class-any-link
postcss-replace-overflow-wrap <=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-replace-overflow-wrap
postcss-selector-matches *
Depends on vulnerable versions of postcss
node_modules/postcss-selector-matches
postcss-selector-not <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-selector-not
resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
之后我啟動了 npm audit fix --force
現在我有
25 vulnerabilities (3 low, 15 moderate, 7 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
而且我也無法啟動該專案
An unhandled exception occurred: require() of ES Module /Users/gboutte/Documents/my-project/node_modules/@angular/compiler-cli/bundles/index.js from /Users/gboutte/Documents/my-project/node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack/src/angular_compiler_plugin.js not supported.
Instead change the require of index.js in /Users/gboutte/Documents/my-project/node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack/src/angular_compiler_plugin.js to a dynamic import() which is available in all CommonJS modules.
See "/private/var/folders/yq/67x6zpfj695czhn4sqrwvxp40000gn/T/ng-h8zNpR/angular-errors.log" for further details.
我應該忽略這些錯誤還是有辦法解決它?我在漏洞中看到了 postcss 的提及,我應該使用除 scss 之外的其他東西嗎?
uj5u.com熱心網友回復:
恐怕你只需要忍受這些漏洞。Angular 有一組非常嚴格的依賴項,在更改這些依賴項的版本時,你已經破壞了你的應用程式。
確保盡可能頻繁地更新 Angular 專案,因為 Angular 團隊會定期更新 Angular 的依賴項以緩解這些問題。
uj5u.com熱心網友回復:
同意 Will Alexander 的觀點,我們可能應該暫時忍受這些漏洞并升級到修補它們的新 Angular 13.xx。從好的方面來說,對于大多數人如何使用 Angular,這些看起來像是低風險漏洞(警告:這些是我的最佳猜測;如果我遺漏了什么,請其他人補充):
node-forge看起來它用于localhost:4200在運行時為本地開發服務器(通常)創建自簽名 SSL 證書ng serve。postcss構建工具使用它來決議和修改 CSS(添加供應商前綴等)。不確定,但我認為即使您使用 CSS 而不是 SCSS,Angular 仍然使用它。
因此,這兩者都只用于開發,而不是在生產環境中部署(原型污染和 RegEx DoS 將是重大風險)。
此外,npm audit fix --force如果您使用的是當前版本的 Angular (v13) ,自動化可能會導致比它解決的問題更多的問題。它@angular-devkit/build-angular從 13.1.2(對于 Angular v13)回滾到 0.1101.2(v11-lts,對 Angular v11 的長期支持)。v11 構建工具和 v13 代碼之間的不匹配可能是導致您嘗試運行時出現未處理例外的原因。
tl;dr:在沒有npm audit fix(在這種情況下!)的情況下使用Angular 進行開發,因為這些漏洞不會部署到生產環境中。更新到較新的 Angular v13.xx 有望npm audit在不久的將來清理干凈。
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/408149.html
標籤: