严重漏洞 - npm-laravel 8 包和依赖

编程问答 2022-04-22

问题描述

  High            Denial of Service    
  Package         css-what    
  Patched in      >=5.0.1    
  Dependency of   laravel-mix [dev]    
  Path            laravel-mix > cssnano > cssnano-preset-default >
                  postcss-svgo > svgo > css-select > css-what

这就是 npm audit 中的指示。 npm updatenpm audit fix 没有解决这个问题,需要在这里手动工作。如果我使用 npm audit fix --force,它会返回以下警告:

@vue/compiler-sfc@3.1.2 requires a peer of vue@3.1.2 but none is installed. You must install peer dependencies yourself.

在这种情况下,如果我运行 npm  run dev ,它会显示两个警告,说 webpack 编译时有 2 个警告

WARNING in ./node_modules/prismjs/components/index.js 42:23-54
Critical dependency: the request of a dependency is an expression
WARNING in ./node_modules/prismjs/components/index.js 45:2-25
Critical dependency: the request of a dependency is an expression

我的 package.Json

"devDependencies": {
        "@fortawesome/fontawesome-svg-core": "^1.2.35",        "@fortawesome/free-solid-svg-icons": "^5.15.3",        "@vue/compiler-sfc": "^3.1.2",        "autosize": "^5.0.0",        "axios": "^0.21",        "bootstrap": "^4.6.0",        "install": "^0.13.0",        "jquery": "^3.2",        "laravel-mix": "^6.0.24",        "lodash": "^4.17.19",        "markdown-it": "^8.4.2",        "markdown-it-prism": "^2.1.6",        "popper.js": "^1.12",        "postcss": "^8.3.5",        "resolve-url-loader": "^4.0.0",        "sass": "^1.35.1",        "sass-loader": "^8.0.0",        "typescript": "^4.3.4",        "vue": "^2.5.17",        "vue-izitoast": "^1.2.1",        "vue-loader": "^15.9.7",        "vue-template-compiler": "^2.6.10"
    },    "dependencies": {
        "prismjs": "^1.23.0"
    }
}

2021 年 6 月 26 日之后更新

目前我的 npm 审计报告:

# npm audit report

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install laravel-mix@5.0.9,which is a breaking change
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    svgo  >=1.0.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  >=4.0.0-nightly.2020.1.9
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  *
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  >=4.0.0-nightly.2020.1.9
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            laravel-mix  5.0.8 || >=6.0.0-alpha.0
            Depends on vulnerable versions of cssnano
            node_modules/laravel-mix

和pakage,json(更新为)

"devDependencies": {
        "@fortawesome/fontawesome-svg-core": "^1.2.35","@fortawesome/free-solid-svg-icons": "^5.15.3","autosize": "^4.0.2","axios": "^0.21","bootstrap": "^4.3.1","cross-env": "^5.2.1","jquery": "^3.4.1","laravel-mix": "^6.0.25","lodash": "^4.17.19","markdown-it": "^8.4.2","markdown-it-prism": "^2.1.6","popper.js": "^1.15.0","postcss": "^8.3.5","resolve-url-loader": "^4.0.0","sass": "^1.35.1","sass-loader": "^8.0.0","typescript": "^4.3.4","vue": "^2.5.17","vue-izitoast": "^1.2.1","vue-loader": "^15.9.7","vue-template-compiler": "^2.6.10"
    }

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

laravel-mixnpmnpmnpmnpm-auditvue.jswebpackwebpackwebpack

相关问答

Selenium Web驱动程序和Java元素在(x,y)点处不可单击其他元素将获得点击?
Selenium Web驱动程序和Java。元素在(x,y)点处不可单击。其...
Python-如何使用点“” 访问字典成员?
Python-如何使用点“。” 访问字典成员?
Java 字符串是不可变的到底是什么意思?
Java 字符串是不可变的。到底是什么意思?
Java中的“ final”关键字如何工作?我仍然可以修改对象
Java中的“ final”关键字如何工作?(我仍然可以修改对象。...
“loop:”在Java代码中这是什么,为什么要编译?
“loop:”在Java代码中。这是什么,为什么要编译?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbcDriver发生异常为什么?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbc...