如何解决严重漏洞 - npm-laravel 8 包和依赖
High Denial of Service
Package css-what
Patched in >=5.0.1
Dependency of laravel-mix [dev]
Path laravel-mix > cssnano > cssnano-preset-default >
postcss-svgo > svgo > css-select > css-what
这就是 npm audit 中的指示。 npm update 或 npm audit fix 没有解决这个问题,需要在这里手动工作。如果我使用 npm audit fix --force,它会返回以下警告:
@vue/compiler-sfc@3.1.2 requires a peer of vue@3.1.2 but none is installed. You must install peer dependencies yourself.
在这种情况下,如果我运行 npm run dev ,它会显示两个警告,说 webpack 编译时有 2 个警告
WARNING in ./node_modules/prismjs/components/index.js 42:23-54
Critical dependency: the request of a dependency is an expression
WARNING in ./node_modules/prismjs/components/index.js 45:2-25
Critical dependency: the request of a dependency is an expression
我的 package.Json
"devDependencies": {
"@fortawesome/fontawesome-svg-core": "^1.2.35", "@fortawesome/free-solid-svg-icons": "^5.15.3", "@vue/compiler-sfc": "^3.1.2", "autosize": "^5.0.0", "axios": "^0.21", "bootstrap": "^4.6.0", "install": "^0.13.0", "jquery": "^3.2", "laravel-mix": "^6.0.24", "lodash": "^4.17.19", "markdown-it": "^8.4.2", "markdown-it-prism": "^2.1.6", "popper.js": "^1.12", "postcss": "^8.3.5", "resolve-url-loader": "^4.0.0", "sass": "^1.35.1", "sass-loader": "^8.0.0", "typescript": "^4.3.4", "vue": "^2.5.17", "vue-izitoast": "^1.2.1", "vue-loader": "^15.9.7", "vue-template-compiler": "^2.6.10"
}, "dependencies": {
"prismjs": "^1.23.0"
}
}
2021 年 6 月 26 日之后更新
目前我的 npm 审计报告:
# npm audit report
css-what <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install laravel-mix@5.0.9,which is a breaking change
node_modules/css-what
css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/css-select
svgo >=1.0.0
Depends on vulnerable versions of css-select
node_modules/svgo
postcss-svgo >=4.0.0-nightly.2020.1.9
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default *
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano >=4.0.0-nightly.2020.1.9
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
laravel-mix 5.0.8 || >=6.0.0-alpha.0
Depends on vulnerable versions of cssnano
node_modules/laravel-mix
和pakage,json(更新为)
"devDependencies": {
"@fortawesome/fontawesome-svg-core": "^1.2.35","@fortawesome/free-solid-svg-icons": "^5.15.3","autosize": "^4.0.2","axios": "^0.21","bootstrap": "^4.3.1","cross-env": "^5.2.1","jquery": "^3.4.1","laravel-mix": "^6.0.25","lodash": "^4.17.19","markdown-it": "^8.4.2","markdown-it-prism": "^2.1.6","popper.js": "^1.15.0","postcss": "^8.3.5","resolve-url-loader": "^4.0.0","sass": "^1.35.1","sass-loader": "^8.0.0","typescript": "^4.3.4","vue": "^2.5.17","vue-izitoast": "^1.2.1","vue-loader": "^15.9.7","vue-template-compiler": "^2.6.10"
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
