当前位置: 文江博客 话题详情

修复 npm 漏洞

发布于 2025-01-17 06:14:07 字数 3073 浏览 4 评论 0 原文

我正在学习 TypeScript 教程。
不幸的是,这些软件包已经过时,我收到了有关漏洞的警告。

我遵循了 npm check and update package if need 的一系列建议,即:

  • npm 审核修复
  • < code>npmauditfix --force
  • npmupdate

npmaudit 表示还剩下 24 个漏洞。
但上述命令都无法修复它们。

npm outdated 导致没有输出。

易受攻击的软件包是:

ansi-regex
glob-parent
node-forge
nth-check
postcss

我实际上不知道为什么它们是我的项目的一部分。 我的 package.json 中没有它们。

修复这些漏洞的后续步骤是什么?

以下是我尝试过的。

您可以在空目录中使用以下 package.json 并运行 npm install 来重现我的最新状态。

{
  "name": "pacman",
  "version": "0.0.1",
  "description": "I just follow a tutorial. Nothing of interest.",
  "keywords": ["game"],
  "license": "MIT",
  "author": "someone stupid",
  "scripts": {
    "build": "parcel build index.html",
    "dev": "parcel index.html --open",
    "start": "npm run build && npm run dev",
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^5.16.0",
    "@typescript-eslint/parser": "^5.16.0",
    "ansi-regex": "^6.0.1",
    "eslint": "^8.12.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-prettier": "^4.0.0",
    "glob-parent": "^6.0.2",
    "node-forge": "^1.3.0",
    "nth-check": "^2.0.1",
    "parcel": "^2.4.0",
    "parcel-bundler": "^1.12.5",
    "postcss": "^8.4.12",
    "prettier": "^2.6.1",
    "typescript": "^4.6.3"
  },
  "dependencies": {
    "npm": "^8.5.5"
  }
}

在撰写本文时,运行 npm 版本 8.5.5 时,您应该会发现 24 个漏洞,其中 18 个中度漏洞和 6 个高漏洞。

原文

I am following a TypeScript tutorial.
Unfortunately, the packages are outdated and I got a warning about vulnerabilities.

I followed a bunch of suggestions from npm check and update package if needed, namely:

  • npm audit fix
  • npm audit fix --force
  • npm update

npm audit says there are still 24 vulnerabilities left.
But none of the above commands will fix them.

npm outdated results in no output.

The vulnerable packages are :

ansi-regex
glob-parent
node-forge
nth-check
postcss

I don't actually know why they are part of my project.
I don't have them in my package.json.

What are the next steps for fixing these vulnerabilities?

Below is what I have tried.

You can reproduce my latest state with the following package.json in an empty directory and running npm install.

{
  "name": "pacman",
  "version": "0.0.1",
  "description": "I just follow a tutorial. Nothing of interest.",
  "keywords": ["game"],
  "license": "MIT",
  "author": "someone stupid",
  "scripts": {
    "build": "parcel build index.html",
    "dev": "parcel index.html --open",
    "start": "npm run build && npm run dev",
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^5.16.0",
    "@typescript-eslint/parser": "^5.16.0",
    "ansi-regex": "^6.0.1",
    "eslint": "^8.12.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-prettier": "^4.0.0",
    "glob-parent": "^6.0.2",
    "node-forge": "^1.3.0",
    "nth-check": "^2.0.1",
    "parcel": "^2.4.0",
    "parcel-bundler": "^1.12.5",
    "postcss": "^8.4.12",
    "prettier": "^2.6.1",
    "typescript": "^4.6.3"
  },
  "dependencies": {
    "npm": "^8.5.5"
  }
}

This should give you 24 vulnerabilities, 18 moderate and 6 high, at the time of writing, running npm version 8.5.5.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

多情出卖 2025-01-24 06:14:07

根据评论,我已经尝试了一般情况下的所有命令,在这种情况下,您需要开始分析单个包。

那么,我做了什么?

  1. 将所有依赖项更新到最新版本。

接下来,通过删除一半依赖项来执行二分搜索,并重复以下步骤

  1. 删除 node_modules 文件夹
  2. run npm install
  3. run npmaudit 进行检查 。

如果没有漏洞,请添加要安装的剩余软件包的一半

如果存在漏洞,请删除当前正在安装的一半软件包。

就我而言,这个过程将其归结为以下两行:

"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",

对于 parcel-bundler,NPM 发出警告:

npm WARN deprecated [email protected]: Parcel v1 is no longer maintained. 
Please migrate to v2, which is published under the 'parcel' package.

所以我想我不需要 parcel-bundler > 根本没有,因为它已经集成到 parcel 包中,我已经在前面的步骤中将其更新到版本 2。

As per the comments, I have already tried all commands for the general case, in which case you need to start analyzing individual packages.

So, what did I do?

  1. Update all dependencies to the latest version.

Next, perform a binary search by removing half of the dependencies and repeating the following steps

  1. delete the node_modules folder
  2. run npm install
  3. run npm audit to check for the vulnerabilities

If there are no vulnerabilites, add the half of the remaining packages you want to install.

If there are vulnerabilities, remove the half of the packages you are currently installing.

In my case, this process boiled it down to the following two lines:

"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",

For parcel-bundler, NPM spit out a warning:

npm WARN deprecated [email protected]: Parcel v1 is no longer maintained. 
Please migrate to v2, which is published under the 'parcel' package.

So I guess I don't need parcel-bundler at all, because it has been integrated into the parcel package, which I had already updated to version 2 in an earlier step.

回复 原文
半寸时光 2025-01-24 06:14:07

尝试使用此命令更新所有 npm。它帮助了我

npm install -g npm@latest

Try to update all your npm with this command. It helped me

npm install -g npm@latest
回复 原文
深居我梦 2025-01-24 06:14:07

正如您的自我回答中所述,parcel-bundler 软件包已被弃用:

Parcel v1 不再维护。请迁移到 v2,该版本在“parcel”包下发布。

parcel-bundler 软件包是已弃用。” title=

事实上,npm 包< em>名称已更改,从 parcel-bundler 更改为 parcel
将它们放在同一个 package.json 中意味着两次拥有完全相同的包的两个不同版本,因此在这种情况下,“已弃用”一词相当具有误导性。

重现您的发现——我们可以相信审计报告吗?

感谢您在问题中包含 package.json
这样做可以重现您的发现

  1. 我运行 npm install npm@latest -g< /code>,然后是 npm --version,它响应 10.2.3


  2. 在一个空目录中,我添加 package.json 的一个版本,然后运行 ​​npm install1

package.json

{
  "name": "soq-71635274-fix-npm",
  "license": "MIT",
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^5.16.0",
    "@typescript-eslint/parser": "^5.16.0",
    "eslint": "^8.12.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-prettier": "^4.0.0",
    "parcel": "^2.4.0",
    "parcel-bundler": "^1.12.5",
    "prettier": "^2.6.1",
    "typescript": "^4.6.3"
  }
}

  1. 为了确保我拥有所有软件包的最新版本,然后运行 ​​npx npm-check-updates,后跟 npx npm-check -更新-unpm install
    响应显示59 个漏洞(47 个中等,12 个高)
    并建议“运行`npmaudit`以获取详细信息”。

  2. 接下来我运行npmaudit
    以下是生成的 npm 审核安全报告的开头。

首先开始 npm 审核安全报告。

# npm audit report
glob-parent  <5.1.2
Severity: high
…

  1. 由于 parcel-bundler 已过时,我将其从 package.json 中删除。
    但是运行 npm install 并不会给出干净的报告。
    它仍然显示11个中等严重程度的漏洞

  2. 运行npmauditfix既不会改变package.json也不会改变package-lock.json

  3. 运行 npmauditfix --force 一次会将 package.json 中的 parcel^ 降级2.10.2^1.12.4
    package-lock.json 的大小从 255 kB 增加到 477 kB。

  4. 运行 npmauditfix --force 两次(第二次)从 ^1.12.4< 重新升级 parcel /code> 返回到 package.json 中的 ^2.10.2
    它将 package-lock.json 的大小从 477 kB 减小到 184 kB。 2


这也会导致发现 0 个漏洞

最后,'发现 0 个漏洞'

我觉得这很了不起。
修复所有漏洞并运行 npm install 不足以获得干净的报告。
然后,您还需要运行npmauditfix--force两次3

参考文献

1
由于您添加了包 ansi-regexglob-parentnode-forgenth-checkpostcss 作为直接 devDependency,我决定通过从 package.json 中删除它们来撤消它们。
我还删除了对 npm@^8.5.5 的依赖,我相信这源于您运行 npm i npm@latest ,它安装了 npm < em>本地。
相比之下,我总是仅在全局安装npmnpm i npm --global

2
package-lock.json 运行 npmauditfix --force 之前和运行两次之后的唯一区别,就是很多包被删除了。
我假设删除的是 parcel-bundler 依赖的包。因此,npm install 本身不会删除这些软件包。

3
第三次运行npmauditfix --force不会更改package.jsonpackage- lock.json 不再是了。
似乎一旦达到“0 个漏洞”状态,命令 npmauditfix --force 就不会引起任何更多更改。
这是有道理的。

As noted in your self-answer, the parcel-bundler package is deprecated :

Parcel v1 is no longer maintained. Please migrate to v2, which is published under the 'parcel' package.

The parcel-bundler package is deprecated.

In fact, the npm package name has changed from parcel-bundler to parcel.
Having them both in the same package.json means having two different versions of the exact same package twice, so the word deprecated is rather misleading in this case.

Reproducing your findings – can we trust the audit report?

Thanks for including the package.json in your question.
Doing so makes it possible to reproduce your findings.

  1. I run npm install npm@latest -g, and then npm --version, which responds 10.2.3.

  2. In an empty directory, I add a version of your package.json, then run npm install. 1

package.json :

{
  "name": "soq-71635274-fix-npm",
  "license": "MIT",
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^5.16.0",
    "@typescript-eslint/parser": "^5.16.0",
    "eslint": "^8.12.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-prettier": "^4.0.0",
    "parcel": "^2.4.0",
    "parcel-bundler": "^1.12.5",
    "prettier": "^2.6.1",
    "typescript": "^4.6.3"
  }
}

  1. To make sure I have the latest versions of all packages, I then run npx npm-check-updates, followed by npx npm-check-updates -u and npm install.
    The response says 59 vulnerabilities (47 moderate, 12 high),
    and suggests to "Run `npm audit` for details".

  2. So next I run npm audit.
    Here is the beginning of the resulting npm audit security report.

Start of npm audit security report, at first.

# npm audit report
glob-parent  <5.1.2
Severity: high
…

  1. Since parcel-bundler is obsolete, I remove it from package.json.
    But running npm install doesn't give a clean report.
    It still says 11 moderate severity vulnerabilities.

  2. Running npm audit fix neither changes package.json nor package-lock.json.

  3. Running npm audit fix --force once downgrades parcel in package.json from ^2.10.2 to ^1.12.4.
    The size of package-lock.json increases from 255 kB to 477 kB.

  4. Running npm audit fix --force twice (a second time) re-upgrades parcel from ^1.12.4 back to ^2.10.2 in package.json.
    It decreases the size of package-lock.json from 477 kB to 184 kB. 2

This also results in found 0 vulnerabilities :

Finally, 'found 0 vulnerabilities'

I find this remarkable.
Fixing all the vulnerabilities and running npm install is not enough to get a clean report.
You then also need to run npm audit fix --force twice. 3

References

1
Since you added the packages ansi-regex, glob-parent, node-forge, nth-check, and postcss as direct devDependencies, I decided to undo that by removing them from package.json.
I also removed the dependency on npm@^8.5.5, which I believe stems from you running npm i npm@latest which installs npm locally.
By contrast, I always install npm only globally, npm i npm --global.

2
The only difference in package-lock.json before running npm audit fix --force and after running it twice, is that a lot of packages have been removed.
I'd assume that the ones removed are packages that parcel-bundler depends on. Thus, npm install alone does not remove these packages.

3
Running npm audit fix --force a third time does not change package.json or package-lock.json anymore.
It seems that once a state of "0 vulnerabilities" is reached, the command npm audit fix --force doesn't induce any more changes.
This makes sense.
回复 原文
~没有更多了~

关于作者

雄赳赳气昂昂

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

十二

文章 0 评论 0

飞烟轻若梦

文章 0 评论 0

OPleyuhuo

文章 0 评论 0

wxb0109

文章 0 评论 0

旧城空念

文章 0 评论 0

-小熊_

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文