为什么我的 yarn.lock 文件中有僵尸包?
Why are there zombie packages in my yarn.lock file?
我们将所有应用程序部署为 Docker 容器,并且作为构建过程的一部分,运行 通过容器扫描来阻止包含已知修复漏洞的部署。
我目前的安全扫描失败,因为我的 yarn.lock 包含 cacache@^12.0.2。但据我所知,绝对没有理由将它放在锁定文件中。例如,如果我 运行 yarn why 似乎没有理由包含包:
/app # yarn why cacache@^12.0.2
yarn why v1.22.4
[1/4] Why do we have the module "cacache@^12.0.2"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We couldn't find a match!
Done in 1.30s.
如何摆脱这些不安全和不必要的依赖?
我试过擦除锁定文件并从头开始重建。这样做之后,有问题的 12.0.2 版本仍然存在。我还尝试了 运行 宁 autoclean 命令,它确实删除了大量不必要的重量,但没有删除这些明显多余且绝对不安全的依赖项。
更新:根据要求,这里是包文件的一部分,其中列出了依赖项:
{
... redacted
"dependencies": {
"@nuxtjs/axios": "^5.3.6",
"@sentry/browser": "^5.29.0",
"@sentry/integrations": "^5.29.0",
"@sentry/tracing": "^5.29.0",
"@sentry/vue": "^5.29.0",
"amplitude-js": "^7.4.1",
"buefy": "^0.9.3",
"cacache": "^15.0.6",
"element-ui": "^2.14.0",
"file-saver": "^2.0.2",
"idle-vue": "^2.0.5",
"is-svg": "^4.2.2",
"js-cookie": "^2.2.1",
"launchdarkly-js-client-sdk": "^2.19.1",
"lodash": "^4.17.15",
"logrocket": "^1.0.7",
"logrocket-vuex": "^0.0.3",
"moment": "^2.26.0",
"nuxt": "^2.0.0",
"view-design": "^4.4.0",
"vue-feather-icons": "^5.1.0",
"vue-resize-directive": "^1.2.0",
"vuex-persistedstate": "^3.0.1"
},
"devDependencies": {
"@olavoparno/jest-badges-readme": "^1.5.1",
"@vue/test-utils": "^1.0.0-beta.27",
"babel-core": "^7.0.0-bridge.0",
"babel-jest": "^24.1.0",
"clipboardy": "^2.3.0",
"coffee-loader": "^1.0.0",
"coffeescript": "^2.5.1",
"cypress": "^6.8.0",
"jest": "^26.0.0",
"node-sass": "^4.14.1",
"pug": "^3.0.1",
"pug-plain-loader": "^1.0.0",
"sass-loader": "^8.0.2",
"vue-jest": "^4.0.0-rc.0"
}
}
➜ yarn why cacache
yarn why v1.21.1
[1/4] Why do we have the module "cacache"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "cacache@15.0.6"
info Has been hoisted to "cacache"
info Reasons this module exists
- Specified in "dependencies"
- Hoisted from "nuxt#@nuxt#webpack#terser-webpack-plugin#cacache"
=> Found "webpack#cacache@12.0.4"
info Reasons this module exists
- "nuxt#@nuxt#webpack#webpack#terser-webpack-plugin" depends on it
- Hoisted from "nuxt#@nuxt#webpack#webpack#terser-webpack-plugin#cacache"
(作为答案发布,因为这会产生糟糕的评论。)
然后当然跟进 yarn why terser-webpack-plugin。
@Dave 很好地回答了这个问题。但是,您还可以做更多的事情来优化您的包。
您可以使用 node-prune 和 ModClean 等软件包来清理不需要的依赖项。
在 npm 安装上使用 --production 标志。
我们将所有应用程序部署为 Docker 容器,并且作为构建过程的一部分,运行 通过容器扫描来阻止包含已知修复漏洞的部署。
我目前的安全扫描失败,因为我的 yarn.lock 包含 cacache@^12.0.2。但据我所知,绝对没有理由将它放在锁定文件中。例如,如果我 运行 yarn why 似乎没有理由包含包:
/app # yarn why cacache@^12.0.2
yarn why v1.22.4
[1/4] Why do we have the module "cacache@^12.0.2"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We couldn't find a match!
Done in 1.30s.
如何摆脱这些不安全和不必要的依赖?
我试过擦除锁定文件并从头开始重建。这样做之后,有问题的 12.0.2 版本仍然存在。我还尝试了 运行 宁 autoclean 命令,它确实删除了大量不必要的重量,但没有删除这些明显多余且绝对不安全的依赖项。
更新:根据要求,这里是包文件的一部分,其中列出了依赖项:
{
... redacted
"dependencies": {
"@nuxtjs/axios": "^5.3.6",
"@sentry/browser": "^5.29.0",
"@sentry/integrations": "^5.29.0",
"@sentry/tracing": "^5.29.0",
"@sentry/vue": "^5.29.0",
"amplitude-js": "^7.4.1",
"buefy": "^0.9.3",
"cacache": "^15.0.6",
"element-ui": "^2.14.0",
"file-saver": "^2.0.2",
"idle-vue": "^2.0.5",
"is-svg": "^4.2.2",
"js-cookie": "^2.2.1",
"launchdarkly-js-client-sdk": "^2.19.1",
"lodash": "^4.17.15",
"logrocket": "^1.0.7",
"logrocket-vuex": "^0.0.3",
"moment": "^2.26.0",
"nuxt": "^2.0.0",
"view-design": "^4.4.0",
"vue-feather-icons": "^5.1.0",
"vue-resize-directive": "^1.2.0",
"vuex-persistedstate": "^3.0.1"
},
"devDependencies": {
"@olavoparno/jest-badges-readme": "^1.5.1",
"@vue/test-utils": "^1.0.0-beta.27",
"babel-core": "^7.0.0-bridge.0",
"babel-jest": "^24.1.0",
"clipboardy": "^2.3.0",
"coffee-loader": "^1.0.0",
"coffeescript": "^2.5.1",
"cypress": "^6.8.0",
"jest": "^26.0.0",
"node-sass": "^4.14.1",
"pug": "^3.0.1",
"pug-plain-loader": "^1.0.0",
"sass-loader": "^8.0.2",
"vue-jest": "^4.0.0-rc.0"
}
}
➜ yarn why cacache
yarn why v1.21.1
[1/4] Why do we have the module "cacache"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "cacache@15.0.6"
info Has been hoisted to "cacache"
info Reasons this module exists
- Specified in "dependencies"
- Hoisted from "nuxt#@nuxt#webpack#terser-webpack-plugin#cacache"
=> Found "webpack#cacache@12.0.4"
info Reasons this module exists
- "nuxt#@nuxt#webpack#webpack#terser-webpack-plugin" depends on it
- Hoisted from "nuxt#@nuxt#webpack#webpack#terser-webpack-plugin#cacache"
(作为答案发布,因为这会产生糟糕的评论。)
然后当然跟进 yarn why terser-webpack-plugin。
@Dave 很好地回答了这个问题。但是,您还可以做更多的事情来优化您的包。
您可以使用 node-prune 和 ModClean 等软件包来清理不需要的依赖项。
在 npm 安装上使用
--production标志。