为什么我的 yarn.lock 文件中有僵尸包?

编程问答 2022-05-11

问题描述

我们将所有应用程序部署为 Docker 容器,并且作为构建过程的一部分,通过容器扫描运行它们以阻止包含已知修复漏洞的部署。

我目前在安全扫描中失败,因为我的 yarn.lock 包含 cacache@^12.0.2。但据我所知,绝对没有理由将其放在锁定文件中。例如,如果我运行 yarn why 它似乎没有理由包含包:

/app # yarn why cacache@^12.0.2
yarn why v1.22.4
[1/4] Why do we have the module "cacache@^12.0.2"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We Couldn't find a match!
Done in 1.30s.

如何摆脱这些不安全和不必要的依赖?

我尝试擦除锁定文件并从头开始重建。这样做之后,有问题的 12.0.2 版本仍然存在。我还尝试运行 autoclean 命令,它确实删除了大量不必要的分量,但并没有删除这些明显多余且绝对不安全的依赖项。

更新:根据要求,这里是包文件的一部分,其中列出了依赖项:

{
  ... redacted
  "dependencies": {
    "@nuxtjs/axios": "^5.3.6","@sentry/browser": "^5.29.0","@sentry/integrations": "^5.29.0","@sentry/tracing": "^5.29.0","@sentry/vue": "^5.29.0","amplitude-js": "^7.4.1","buefy": "^0.9.3","cacache": "^15.0.6","element-ui": "^2.14.0","file-saver": "^2.0.2","idle-vue": "^2.0.5","is-svg": "^4.2.2","js-cookie": "^2.2.1","launchdarkly-js-client-sdk": "^2.19.1","lodash": "^4.17.15","logrocket": "^1.0.7","logrocket-vuex": "^0.0.3","moment": "^2.26.0","nuxt": "^2.0.0","view-design": "^4.4.0","vue-feather-icons": "^5.1.0","vue-resize-directive": "^1.2.0","vuex-persistedstate": "^3.0.1"
  },"devDependencies": {
    "@olavoparno/jest-badges-readme": "^1.5.1","@vue/test-utils": "^1.0.0-beta.27","babel-core": "^7.0.0-bridge.0","babel-jest": "^24.1.0","clipboardy": "^2.3.0","coffee-loader": "^1.0.0","coffeescript": "^2.5.1","cypress": "^6.8.0","jest": "^26.0.0","node-sass": "^4.14.1","pug": "^3.0.1","pug-plain-loader": "^1.0.0","sass-loader": "^8.0.2","vue-jest": "^4.0.0-rc.0"
  }
}

解决方法

➜ yarn why cacache
yarn why v1.21.1
[1/4] ?  Why do we have the module "cacache"...?
[2/4] ?  Initialising dependency graph...
[3/4] ?  Finding dependency...
[4/4] ?  Calculating file sizes...
=> Found "cacache@15.0.6"
info Has been hoisted to "cacache"
info Reasons this module exists
   - Specified in "dependencies"
   - Hoisted from "nuxt#@nuxt#webpack#terser-webpack-plugin#cacache"
=> Found "webpack#cacache@12.0.4"
info Reasons this module exists
   - "nuxt#@nuxt#webpack#webpack#terser-webpack-plugin" depends on it
   - Hoisted from "nuxt#@nuxt#webpack#webpack#terser-webpack-plugin#cacache"

(作为答案发布,因为这会发表糟糕的评论。)

然后跟进 yarn why terser-webpack-plugin

,

@Dave 很好地回答了这个问题。但是,您还可以采取更多措施来优化您的软件包。

  1. 您可以使用 node-prune 和 ModClean 等包来清理不需要的依赖项。

  2. 在 npm install 上使用 --production 标志。

dockerdockerjavascriptsingle-page-applicationyarnpkg