当前位置: 文江博客 话题详情

github Dependabot 警报:nth-​​check 中的正则表达式复杂性低效

发布于 2025-01-10 10:26:29 字数 584 浏览 1 评论 0 原文

可能重复,但找​​不到任何明确的答案。

Dependabot 无法将 nth-check 更新到无漏洞版本 由于以下>冲突的依赖关系,可以安装的最新可能版本是 1.0.2:

<块引用>

[电子邮件受保护] 需要 nth-check@^1.0.2通过对 [电子邮件受保护]

刚刚升级到 [电子邮件受保护] 从 4.0.0 开始。

原文

Possible duplicate, but couldn't find any clear answers.

Dependabot cannot update nth-check to a non-vulnerable version
The latest possible version that can be installed is 1.0.2 because of the following >conflicting dependency:

[email protected] requires nth-check@^1.0.2 via a transitive dependency on [email protected]

just upgraded to [email protected] from 4.0.0.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(13

靖瑶 2025-01-17 10:26:30

打开 package.json。你会发现这个:

"dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
    "react-scripts": "4.0.3"
  }

获取react-scripts并将其移至devDependency(如果没有,请创建它):

  "dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2"
  },
  "devDependencies": {
    "react-scripts": "4.0.3"
  },

然后,确保运行“npmaudit--production”

这将修复你的问题警告。

Open package.json. You will find this:

"dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
    "react-scripts": "4.0.3"
  }

Take react-scripts and move it to devDependencies (if you don't have it, create it):

  "dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2"
  },
  "devDependencies": {
    "react-scripts": "4.0.3"
  },

Then, ensure you run "npm audit --production"

This will fix your warnings.

回复 原文
回忆凄美了谁 2025-01-17 10:26:30

我遇到了同样的错误,我通过

  1. 在 packge.json 中添加以下内容

来修复它

“覆盖”:{
“第n次检查”:“^2.1.1”}

  1. 我运行 npm i ,然后运行 ​​npmauditfix

I had the same error and I fixed it with doing

  1. added below in packge.json

"overrides": {
"nth-check": "^2.1.1" }

  1. I run npm i , then npm audit fix
回复 原文
本宫微胖 2025-01-17 10:26:30

我也在react-scripts@^5.0.0

所以,我个人建议首先使用yarn。但每个人都有自己的喜好!为此,

npm install --global yarn

您可以在删除包锁定文件后输入,然后在应用程序的文件夹中运行以下命令

yarn

(这真是令人惊讶。)这将生成一个yarn.lock文件。请注意,您应该避免同时使用yarn和npm!

在同一个yarn.lock 文件中,您将必须搜索第n 个检查字符串!在一个全新的 React 应用程序中(到目前为止),您应该会发现该字符串出现 8 次。该字符串将设置在包版本旁边。这就是你想要改变的。

就我而言,我有例如

nth-check@^1.0.2: //so far. This version can be different for an older projet.
  version "1.0.2"
  resolved "https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz"

您想要更改所有这些错误版本。它应该看起来像这样:

nth-check@^2.0.1:
  version "2.0.1"
  resolved "https://registry.npmjs.org/nth-check/-/nth-check-2.0.1.tgz"

不过,您将不得不更改几个版本。不只是一个。我编辑了它(我相信是-6次。
如果您保存文件,请启动一个简单的

yarn

命令,然后执行“

yarn audit

它应该解决您的问题之一!”

希望这对您有所帮助。干杯!

I also am on react-scripts@^5.0.0

So, I would personally recommend to use yarn first. But everybody has their own preferences! to do so, can type

npm install --global yarn

after that you could remove your package-lock file and run following command in the folder of your app of course

yarn

(such a surprise.) This will generate a yarn.lock file. Note that you should avoid using yarn and npm at the same time !

In that very same yarn.lock file, you will have to search for nth-check string! In a brand new react app (so far), you should find 8 occurrences of that string. This string will be set next to a package version. That's what you want to change.

In my case, I have for example

nth-check@^1.0.2: //so far. This version can be different for an older projet.
  version "1.0.2"
  resolved "https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz"

You want top change all those wrong versions. It should look like this :

nth-check@^2.0.1:
  version "2.0.1"
  resolved "https://registry.npmjs.org/nth-check/-/nth-check-2.0.1.tgz"

You will have to change a couple versions though. Not just one. I dit it (-6 times I believe.
If you save the file, launche a simple

yarn

command followed by a

yarn audit

It SHOULD fix one of your problems!

Hope this was helpfull. Cheers!

回复 原文
命比纸薄 2025-01-17 10:26:30

如果上述任何方法都不起作用,请尝试以下操作:

首先使用以下命令检查您的代码中是否使用了该漏洞

npm 检查

现在,如果代码中未使用漏洞模块,则转到“package-lock.json”并搜索漏洞路径,例如

node_modules/svgo/node_modules/nth-check

并在 json 文件中删除此依赖项

然后运行

npm 审核

会显示

found 0 vulnerabilities

这大多在使用时出现

npx create-react-app“应用程序”

并尝试安装模块“React-Scripts”

If any of the above mentioned methods didn't work, then try this :

First check if the vulnerability is used in your code using the

npm-check

Now if the vulnerability module is not used in the code, then head-over to the 'package-lock.json' and search for the vulnerability path like

node_modules/svgo/node_modules/nth-check

and remove this dependency in the json file

Then run

npm audit

This will display

found 0 vulnerabilities

This mostly occurs when used

npx create-react-app "app"

and tried to install a module " React-Scripts"

回复 原文
つ可否回来 2025-01-17 10:26:30

我必须将特定依赖项及其子依赖项版本更改为 2.0.1 ,在我的情况下,有问题的依赖项是 "css-select@npm:^2.0.0" ,

只需在 中搜索 nth-check yarn.lock 文件,您将在“css-select@npm:^2.0.0”内找到 nth-check 依赖项作为子依赖项,您需要将版本形式“1.0.2”更改为“2.0.1”看起来像下面这样

css-select@npm:^2.0.0":
  version: 2.1.0
  resolution: "css-select@npm:2.1.0"
  dependencies:
    boolbase: ^1.0.0
    css-what: ^3.2.1
    domutils: ^1.7.0
    nth-check: ^2.0.1 // this is where you need to make change
  checksum: 0c4099910f2411e2a9103cf92ea6a4ad738b57da75bcf73d39ef2c14a00ef36..
  languageName: node
  linkType: hard

任何仍使用旧版本的第 n 个检查作为子依赖项的依赖项都必须更新,这将解决问题

I had to change a particular dependency and its child dependency version to 2.0.1 , in my case dependency which had the problem was "css-select@npm:^2.0.0" ,

Just have search for nth-check in yarn.lock file and you will find the nth-check dependency as child dependency inside "css-select@npm:^2.0.0" there you need to change the version form "1.0.2" to "2.0.1" it would looks something like bellow

css-select@npm:^2.0.0":
  version: 2.1.0
  resolution: "css-select@npm:2.1.0"
  dependencies:
    boolbase: ^1.0.0
    css-what: ^3.2.1
    domutils: ^1.7.0
    nth-check: ^2.0.1 // this is where you need to make change
  checksum: 0c4099910f2411e2a9103cf92ea6a4ad738b57da75bcf73d39ef2c14a00ef36..
  languageName: node
  linkType: hard

Any dependency still using this old version of nth check as child dependency have to updated and that will fix the issue

回复 原文
朕就是辣么酷 2025-01-17 10:26:30

要识别 nth-check 过时的依赖项,请运行以下命令:

npm list nth-check

然后,您将在终端中看到类似以下内容:

`--  [email protected]

`--  [email protected]

在这里您可以看到一些依赖项已更新,而其他依赖项已过时。接下来,在编辑器中,您可以在所有文件中搜索“nth-check”,您将看到哪些文件具有版本“[电子邮件受保护]"。

然后,您可以手动将这些依赖项替换为您看到的最新版本,例如:

[email protected] 改为 [email protected]

然后再次出现在您的终端托盘中:

npm i

这个漏洞应该会消失

To identify nth-check outdated dependencies, please run the command:

npm list nth-check

then, you will see in your terminal something like:

`--  [email protected]

`--  [email protected]

here you can see that some dependecies are updated and others outdated. Next, in your editor you could search in all your files for "nth-check" and you will see wich files have version "[email protected]" for example.

then you replace manually these dependecies with last version that you see, for example:

[email protected] instead [email protected]

then in your terminal tray again :

npm i

and this vulnerabilty should dissapear

回复 原文
裂开嘴轻声笑有多痛 2025-01-17 10:26:30

感谢这个 GitHub 线程,我能够解决这个问题。
这基本上可以帮助 Snyk 消除第 n 次检查的扫描问题。

"dependencies": {
    "react-scripts": "^5.0.1",
    "web-vitals": "^2.1.4",
    "nth-check": "^2.1.1"
  },
  "overrides": {
    "nth-check": "^2.1.1",
    "postcss":"^8.4.38"
  }

查看更多:GitHub 答案

Thanks to this GitHub thread, I was able to solve this.
This basically helps Snyk to remove scanning issue on the nth-check.

"dependencies": {
    "react-scripts": "^5.0.1",
    "web-vitals": "^2.1.4",
    "nth-check": "^2.1.1"
  },
  "overrides": {
    "nth-check": "^2.1.1",
    "postcss":"^8.4.38"
  }

See more : GitHub Answer

回复 原文
如此安好 2025-01-17 10:26:30

package-lock.json 中,根据 GitHub Dependabot 警报中的版本更新所有 nth-check 字段:

例如,对于 > ;=2.0.1,更新字段(版本、已解决和第n次检查),如下所示:

"node_modules/svgo/node_modules/nth-check": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/nth-check/-/nth-check-2.0.1.tgz", // just update version part (2.0.1)
      ...
}

"node_modules/svgo/node_modules/css-what": {
@@ -23901,7 +23901,7 @@
        ...
        "nth-check": ">=2.0.1"

之后,运行npmaudit --product进行验证。

In the package-lock.json, make the updates for all of the nth-check fields based on the version in GitHub Dependabot alert:

For example, for >=2.0.1, update fileds (version, resolved and nth-check) as shown below:

"node_modules/svgo/node_modules/nth-check": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/nth-check/-/nth-check-2.0.1.tgz", // just update version part (2.0.1)
      ...
}

"node_modules/svgo/node_modules/css-what": {
@@ -23901,7 +23901,7 @@
        ...
        "nth-check": ">=2.0.1"

After this, run npm audit --production to verify.

回复 原文
单挑你×的.吻 2025-01-17 10:26:30

https://github.com/facebook/create-react-app/issues/ 4342章


显然你可以看到react-scripts不是devDependency。
react-scripts 包包含在生产中使用的 polyfill。
所以您标记为正确的答案并不正确。

https://github.com/facebook/create-react-app/issues/4342

check this link,
clearly you can see that react-scripts is not devDependency.
react-scripts package includes polyfills that are used in production.
so the answer that you have marked as right is not right.

回复 原文
眼泪淡了忧伤 2025-01-17 10:26:30

在你的 CMD 中并检查
" npm -g list "

"npm install -g create-react-app"

之后 "npx create-react-app ./" >

in your CMD and check
" npm -g list "

and "npm install -g create-react-app"

after that "npx create-react-app ./"

回复 原文
沉溺在你眼里的海 2025-01-17 10:26:29

正如 Dan Abramov 在问题中解释的那样,(很可能)是误报并可以安全地消除。

更具体地说,如果您使用 CRA 并且仅从中引用 nth-check,则这不是问题,因为 CRA 是一个构建工具,易受攻击的代码永远不会进入生成的应用程序包,因此永远不会被客户端调用代码。

您可以通过将“react-scripts”移至“package.json”中的“devDependency”并运行“npmaudit --product”来验证这一点。

As Dan Abramov explains in this issue, it is (very likely) a false alarm and can be safely dismissed.

More specifically, if you are using CRA and nth-check is referenced only from it, it is not an issue, because CRA is a build tool and the vulnerable code will never get into the resulting application bundle and thus will never be called by client code.

You can verify this by moving "react-scripts" into "devDependencies" in package.json and running npm audit --production.

回复 原文
蓝色星空 2025-01-17 10:26:29

在告诉你解决方法之前先说几点:

  1. 看来react-scripts漏洞是虚惊一场
    (如此处所述)。 Dan Abramov 还撰写了一篇引人入胜的深入博客
    发布    关于 npmaudit 的工作原理以及它如何以某种方式被破坏,特别是对于前端工具的设计。

  2. 因为 react-scripts 本质上是一个构建工具,即使该漏洞是
    确实是真的,它只会被视为一个发展问题,因为它会
    无论如何,都会从生产包中删除。

因此,如果您对这个所谓的“漏洞”不采取任何措施,就不会发生任何不好的事情,而且完全没问题。但是,如果存在漏洞的红色警报在美观上让您烦恼或者破坏了您的 CI/CD,那么请继续阅读。

解决方法:

问题似乎是从 lib @svgr/webpack 4.0.0 - 5.0.0 开始的。

如果你使用的node版本>=16,你可以自己安装@svgr/webpack,在我的例子中我安装的版本:^6.2.1 作为devDependency

,您应该在 package.json 中创建一个覆盖(或分辨率,如果您使用的是 yarn)部分,并包含以下行: “@svgr/webpack”:“$@svgr/webpack”

输入图像描述这里

最后,您必须删除 node_modules 文件夹和 package-lock.json,并执行 npm install

解决方法。

A few points before telling you the workaround:

  1. It seems that the react-scripts vulnerability is a false alarm
    (as discussed here). Dan Abramov also wrote a fascinating in-depth blog
    post     about how npm audit works and how it's somehow broken especially for front-end tooling by design.

  2. Since react-scripts is essentially a build tool, even if the vulnerability was
    indeed genuine, it would be considered only a development issue since it'll
    be stripped from the production bundle anyway.

So if you do nothing about this so-called "vulnerability", nothing bad gonna happen and it's perfectly fine. But if the red alarm that a vulnerability exists is annoying you either aesthetically or is disrupting your CI/CD then read on.

Workaround:

The problem seems to be starting with the lib @svgr/webpack 4.0.0 - 5.0.0.

If you are using node version >= 16, you can install @svgr/webpack by yourself, in my case I installed the version: ^6.2.1 as devDependency.

enter image description here

After that, you should create a overrides (or resolutions if you are using yarn) section in your package.json and include the line: "@svgr/webpack": "$@svgr/webpack".

enter image description here

And last, you must remove your node_modules folder and your package-lock.json, and execute npm install.

Workaround credit.

回复 原文
街角卖回忆 2025-01-17 10:26:29

我确认它在react-scripts 5.0.1中仍然有效,您可以将您的react脚本版本从package.json中的“依赖项”移动到“devDependency”,如下所示:

 "devDependencies": {
    "react-scripts": "^5.0.1"
  },

“devDependency是通过在文件中要求它们而消耗的包或在开发阶段作为二进制文件运行,这些包仅在开发过程中需要,而对于生产构建不是必需的。”

运行“npmaudit--production”以表明您在生产中不需要反应脚本。

当然,如果您仍然遇到漏洞,则可能是另一个包导致了该漏洞。

https://dev.to/moimikey/demystifying-devdependency-and-dependency-5ege

I confirm it still works as of react-scripts 5.0.1 that you can move your version of react scripts from "dependencies" to "devDependencies" in package.json like this:

 "devDependencies": {
    "react-scripts": "^5.0.1"
  },

"devDependencies are packages that are consumed by requiring them in files or run as binaries, during the development phase. These are packages that are only necessary during development and not necessary for the production build."

Run "npm audit --production" to show that you do not need react-scripts at production.

Of course, if you still run into vulnerabilities, another package might have caused the vulnerability.

https://dev.to/moimikey/demystifying-devdependencies-and-dependencies-5ege

回复 原文
~没有更多了~

关于作者

哀由

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

卷耳

文章 0 评论 0

佚名

文章 0 评论 0

℉服软

文章 0 评论 0

qq_2gSKZM

文章 0 评论 0

凉宸

文章 0 评论 0

gyhjy

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文