人工审核-部分漏洞需要您关注解决
Manual Review - Some vulnerabilities require your attention to resolve
npm audit
=== npm audit security report ===
# Run npm update terser-webpack-plugin --depth 3 to resolve 1 vulnerability
Moderate Cross-Site Scripting
Package serialize-javascript
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack >
terser-webpack-plugin > serialize-javascript
More info https://npmjs.com/advisories/1426
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Cross-Site Scripting
Package serialize-javascript
Patched in >=2.1.1
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > copy-webpack-plugin >
serialize-javascript
More info https://npmjs.com/advisories/1426
Moderate Cross-Site Scripting
Package serialize-javascript
Patched in >=2.1.1
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > terser-webpack-plugin >
serialize-javascript
More info https://npmjs.com/advisories/1426
found 3 moderate severity vulnerabilities in 18591 scanned packages
run `npm audit fix` to fix 1 of them.
2 vulnerabilities require manual review. See the full report for details.
package.json
{
"name": "client",
"version": "0.0.1",
"author": "Ionic Framework",
"homepage": "https://ionicframework.com/",
"scripts": {
"ng": "ng",
"start": "ng serve",
"build": "ng build",
"test": "ng test",
"lint": "ng lint",
"e2e": "ng e2e"
},
"private": true,
"dependencies": {
"@angular/common": "8.1.2",
"@angular/compiler": "8.1.2",
"@angular/core": "8.1.2",
"@angular/fire": "5.2.3",
"@angular/forms": "8.1.2",
"@angular/platform-browser": "8.1.2",
"@angular/platform-browser-dynamic": "8.1.2",
"@angular/router": "8.1.2",
"@ionic-native/camera": "5.12.0",
"@ionic-native/contacts": "5.12.0",
"@ionic-native/core": "5.0.0",
"@ionic-native/facebook": "5.12.0",
"@ionic-native/file": "5.12.0",
"@ionic-native/firebase-x": "5.12.0",
"@ionic-native/http": "5.13.0",
"@ionic-native/splash-screen": "5.0.0",
"@ionic-native/status-bar": "5.0.0",
"@ionic/angular": "4.11.5",
"@ionic/storage": "2.2.0",
"@nomadreservations/ngx-stripe": "1.2.0-beta.0",
"angular-cropperjs": "1.0.1",
"cordova-android": "8.0.0",
"cordova-ios": "5.0.1",
"cordova-plugin-advanced-http": "2.1.1",
"cordova-plugin-androidx": "1.0.2",
"cordova-plugin-androidx-adapter": "1.1.0",
"cordova-plugin-camera": "4.1.0",
"cordova-plugin-contacts": "3.0.1",
"cordova-plugin-device": "2.0.2",
"cordova-plugin-facebook4": "6.0.0",
"cordova-plugin-file": "6.0.2",
"cordova-plugin-firebasex": "6.0.7",
"cordova-plugin-ionic-keyboard": "2.1.3",
"cordova-plugin-ionic-webview": "4.1.1",
"cordova-plugin-splashscreen": "5.0.2",
"cordova-plugin-statusbar": "2.4.2",
"cordova-plugin-whitelist": "1.3.3",
"cordova-sqlite-storage": "^3.4.1",
"core-js": "2.5.4",
"firebase": "7.4.0",
"ionic": "5.4.6",
"jsurl": "0.1.5",
"lodash": "^4.17.15",
"moment": "^2.24.0",
"ngx-image-cropper": "1.4.1",
"ngx-moment": "^3.5.0",
"rxjs": "6.5.3",
"socket.io": "2.2.0",
"tslib": "1.10.0",
"zone.js": "0.9.1"
},
"devDependencies": {
"@angular-devkit/architect": "0.801.2",
"@angular-devkit/build-angular": "^0.801.2",
"@angular-devkit/core": "8.1.2",
"@angular-devkit/schematics": "8.1.2",
"@angular/cli": "8.1.2",
"@angular/compiler-cli": "8.1.2",
"@angular/language-service": "8.1.2",
"@ionic/angular-toolkit": "^2.1.1",
"@types/jasmine": "3.3.8",
"@types/jasminewd2": "2.0.3",
"@types/node": "8.9.4",
"codelyzer": "5.0.0",
"cordova-plugin-device": "2.0.2",
"cordova-plugin-ionic-keyboard": "2.1.3",
"cordova-plugin-ionic-webview": "4.1.1",
"cordova-plugin-splashscreen": "5.0.2",
"cordova-plugin-statusbar": "2.4.2",
"cordova-plugin-whitelist": "1.3.3",
"jasmine-core": "3.4.0",
"jasmine-spec-reporter": "4.2.1",
"karma": "4.1.0",
"karma-chrome-launcher": "2.2.0",
"karma-coverage-istanbul-reporter": "2.0.1",
"karma-jasmine": "2.0.1",
"karma-jasmine-html-reporter": "1.4.0",
"protractor": "5.4.0",
"ts-node": "7.0.0",
"tslint": "5.15.0",
"typescript": "3.4.5"
},
"description": "An Ionic project",
"cordova": {
"plugins": {
"cordova-plugin-whitelist": {},
"cordova-plugin-statusbar": {},
"cordova-plugin-device": {},
"cordova-plugin-splashscreen": {},
"cordova-plugin-ionic-webview": {
"ANDROID_SUPPORT_ANNOTATIONS_VERSION": "27.+"
},
"cordova-plugin-ionic-keyboard": {},
"cordova-plugin-camera": {
"ANDROID_SUPPORT_V4_VERSION": "27.+"
},
"cordova-plugin-firebasex": {
"ANDROID_ICON_ACCENT": "#FF00FFFF",
"ANDROID_PLAY_SERVICES_TAGMANAGER_VERSION": "17.0.0",
"ANDROID_FIREBASE_CORE_VERSION": "17.0.0",
"ANDROID_FIREBASE_MESSAGING_VERSION": "19.0.0",
"ANDROID_FIREBASE_CONFIG_VERSION": "18.0.0",
"ANDROID_FIREBASE_PERF_VERSION": "18.0.0",
"ANDROID_FIREBASE_AUTH_VERSION": "18.0.0",
"ANDROID_CRASHLYTICS_VERSION": "2.10.1",
"ANDROID_CRASHLYTICS_NDK_VERSION": "2.1.0",
"ANDROID_SHORTCUTBADGER_VERSION": "1.1.22"
},
"cordova-plugin-contacts": {},
"cordova-plugin-advanced-http": {
"OKHTTP_VERSION": "3.10.0"
},
"cordova-plugin-facebook4": {
"APP_ID": "412958516026250",
"APP_NAME": "Peeps",
"FACEBOOK_HYBRID_APP_EVENTS": "false",
"FACEBOOK_ANDROID_SDK_VERSION": "5.2.0"
},
"cordova-sqlite-storage": {}
},
"platforms": [
"ios",
"android"
]
}
}
跨站脚本
序列化-javascript
npm 文档:https://www.npmjs.com/advisories/1426
上面写着:
Overview
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Remediation
Upgrade to version 2.1.1 or later.
但我没有在 package.json 文件上使用 serialize-javascript。我怎样才能解决这个问题?
OP的反馈
我们也需要添加这个:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
原创
这似乎与 Angular 依赖项有关,对我来说似乎很新,因此 Angular 团队可能会很快解决。
作为解决方法,请尝试 "resolve" 依赖于您自己。
首先你需要一个第三方助手:
https://github.com/rogeriochaves/npm-force-resolutions
然后在您的 package.json 添加:
"resolutions": {
"serialize-javascript": "^2.1.1"
}
最后:
rm -r node_modules
npx npm-force-resolutions
npm install
@angular-devkit/build-angular v8.3.21 已发布。 npm audit fix 现在自动修复此漏洞。
参考:https://github.com/angular/angular-cli/issues/16414#issuecomment-567990763
npm audit
=== npm audit security report ===
# Run npm update terser-webpack-plugin --depth 3 to resolve 1 vulnerability
Moderate Cross-Site Scripting
Package serialize-javascript
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack >
terser-webpack-plugin > serialize-javascript
More info https://npmjs.com/advisories/1426
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Cross-Site Scripting
Package serialize-javascript
Patched in >=2.1.1
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > copy-webpack-plugin >
serialize-javascript
More info https://npmjs.com/advisories/1426
Moderate Cross-Site Scripting
Package serialize-javascript
Patched in >=2.1.1
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > terser-webpack-plugin >
serialize-javascript
More info https://npmjs.com/advisories/1426
found 3 moderate severity vulnerabilities in 18591 scanned packages
run `npm audit fix` to fix 1 of them.
2 vulnerabilities require manual review. See the full report for details.
package.json
{
"name": "client",
"version": "0.0.1",
"author": "Ionic Framework",
"homepage": "https://ionicframework.com/",
"scripts": {
"ng": "ng",
"start": "ng serve",
"build": "ng build",
"test": "ng test",
"lint": "ng lint",
"e2e": "ng e2e"
},
"private": true,
"dependencies": {
"@angular/common": "8.1.2",
"@angular/compiler": "8.1.2",
"@angular/core": "8.1.2",
"@angular/fire": "5.2.3",
"@angular/forms": "8.1.2",
"@angular/platform-browser": "8.1.2",
"@angular/platform-browser-dynamic": "8.1.2",
"@angular/router": "8.1.2",
"@ionic-native/camera": "5.12.0",
"@ionic-native/contacts": "5.12.0",
"@ionic-native/core": "5.0.0",
"@ionic-native/facebook": "5.12.0",
"@ionic-native/file": "5.12.0",
"@ionic-native/firebase-x": "5.12.0",
"@ionic-native/http": "5.13.0",
"@ionic-native/splash-screen": "5.0.0",
"@ionic-native/status-bar": "5.0.0",
"@ionic/angular": "4.11.5",
"@ionic/storage": "2.2.0",
"@nomadreservations/ngx-stripe": "1.2.0-beta.0",
"angular-cropperjs": "1.0.1",
"cordova-android": "8.0.0",
"cordova-ios": "5.0.1",
"cordova-plugin-advanced-http": "2.1.1",
"cordova-plugin-androidx": "1.0.2",
"cordova-plugin-androidx-adapter": "1.1.0",
"cordova-plugin-camera": "4.1.0",
"cordova-plugin-contacts": "3.0.1",
"cordova-plugin-device": "2.0.2",
"cordova-plugin-facebook4": "6.0.0",
"cordova-plugin-file": "6.0.2",
"cordova-plugin-firebasex": "6.0.7",
"cordova-plugin-ionic-keyboard": "2.1.3",
"cordova-plugin-ionic-webview": "4.1.1",
"cordova-plugin-splashscreen": "5.0.2",
"cordova-plugin-statusbar": "2.4.2",
"cordova-plugin-whitelist": "1.3.3",
"cordova-sqlite-storage": "^3.4.1",
"core-js": "2.5.4",
"firebase": "7.4.0",
"ionic": "5.4.6",
"jsurl": "0.1.5",
"lodash": "^4.17.15",
"moment": "^2.24.0",
"ngx-image-cropper": "1.4.1",
"ngx-moment": "^3.5.0",
"rxjs": "6.5.3",
"socket.io": "2.2.0",
"tslib": "1.10.0",
"zone.js": "0.9.1"
},
"devDependencies": {
"@angular-devkit/architect": "0.801.2",
"@angular-devkit/build-angular": "^0.801.2",
"@angular-devkit/core": "8.1.2",
"@angular-devkit/schematics": "8.1.2",
"@angular/cli": "8.1.2",
"@angular/compiler-cli": "8.1.2",
"@angular/language-service": "8.1.2",
"@ionic/angular-toolkit": "^2.1.1",
"@types/jasmine": "3.3.8",
"@types/jasminewd2": "2.0.3",
"@types/node": "8.9.4",
"codelyzer": "5.0.0",
"cordova-plugin-device": "2.0.2",
"cordova-plugin-ionic-keyboard": "2.1.3",
"cordova-plugin-ionic-webview": "4.1.1",
"cordova-plugin-splashscreen": "5.0.2",
"cordova-plugin-statusbar": "2.4.2",
"cordova-plugin-whitelist": "1.3.3",
"jasmine-core": "3.4.0",
"jasmine-spec-reporter": "4.2.1",
"karma": "4.1.0",
"karma-chrome-launcher": "2.2.0",
"karma-coverage-istanbul-reporter": "2.0.1",
"karma-jasmine": "2.0.1",
"karma-jasmine-html-reporter": "1.4.0",
"protractor": "5.4.0",
"ts-node": "7.0.0",
"tslint": "5.15.0",
"typescript": "3.4.5"
},
"description": "An Ionic project",
"cordova": {
"plugins": {
"cordova-plugin-whitelist": {},
"cordova-plugin-statusbar": {},
"cordova-plugin-device": {},
"cordova-plugin-splashscreen": {},
"cordova-plugin-ionic-webview": {
"ANDROID_SUPPORT_ANNOTATIONS_VERSION": "27.+"
},
"cordova-plugin-ionic-keyboard": {},
"cordova-plugin-camera": {
"ANDROID_SUPPORT_V4_VERSION": "27.+"
},
"cordova-plugin-firebasex": {
"ANDROID_ICON_ACCENT": "#FF00FFFF",
"ANDROID_PLAY_SERVICES_TAGMANAGER_VERSION": "17.0.0",
"ANDROID_FIREBASE_CORE_VERSION": "17.0.0",
"ANDROID_FIREBASE_MESSAGING_VERSION": "19.0.0",
"ANDROID_FIREBASE_CONFIG_VERSION": "18.0.0",
"ANDROID_FIREBASE_PERF_VERSION": "18.0.0",
"ANDROID_FIREBASE_AUTH_VERSION": "18.0.0",
"ANDROID_CRASHLYTICS_VERSION": "2.10.1",
"ANDROID_CRASHLYTICS_NDK_VERSION": "2.1.0",
"ANDROID_SHORTCUTBADGER_VERSION": "1.1.22"
},
"cordova-plugin-contacts": {},
"cordova-plugin-advanced-http": {
"OKHTTP_VERSION": "3.10.0"
},
"cordova-plugin-facebook4": {
"APP_ID": "412958516026250",
"APP_NAME": "Peeps",
"FACEBOOK_HYBRID_APP_EVENTS": "false",
"FACEBOOK_ANDROID_SDK_VERSION": "5.2.0"
},
"cordova-sqlite-storage": {}
},
"platforms": [
"ios",
"android"
]
}
}
跨站脚本 序列化-javascript
npm 文档:https://www.npmjs.com/advisories/1426
上面写着:
Overview
Versions of
serialize-javascriptprior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.Remediation
Upgrade to version 2.1.1 or later.
但我没有在 package.json 文件上使用 serialize-javascript。我怎样才能解决这个问题?
OP的反馈
我们也需要添加这个:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
原创
这似乎与 Angular 依赖项有关,对我来说似乎很新,因此 Angular 团队可能会很快解决。 作为解决方法,请尝试 "resolve" 依赖于您自己。
首先你需要一个第三方助手: https://github.com/rogeriochaves/npm-force-resolutions
然后在您的 package.json 添加:
"resolutions": {
"serialize-javascript": "^2.1.1"
}
最后:
rm -r node_modules
npx npm-force-resolutions
npm install
@angular-devkit/build-angular v8.3.21 已发布。 npm audit fix 现在自动修复此漏洞。
参考:https://github.com/angular/angular-cli/issues/16414#issuecomment-567990763