Angular 新项目漏洞
Angular new project vulnerabilities
我更新了 angular cli 并创建了一个新项目,带有路由和 scss。
当我 运行 npm install 我看到:
41 vulnerabilities (4 low, 37 moderate)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
我使用了第一个命令 npm audit fix,它向我展示了这个:
up to date, audited 985 packages in 5s
90 packages are looking for funding
run `npm fund` for details
# npm audit report
node-forge <1.0.0
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change
node_modules/node-forge
selfsigned >=1.1.1
Depends on vulnerable versions of node-forge
node_modules/selfsigned
webpack-dev-server >=2.5.0
Depends on vulnerable versions of selfsigned
node_modules/webpack-dev-server
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of postcss-preset-env
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
@angular-devkit/build-webpack *
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-webpack
postcss <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change
node_modules/autoprefixer/node_modules/postcss
node_modules/css-blank-pseudo/node_modules/postcss
node_modules/css-has-pseudo/node_modules/postcss
node_modules/css-prefers-color-scheme/node_modules/postcss
node_modules/postcss-attribute-case-insensitive/node_modules/postcss
node_modules/postcss-color-functional-notation/node_modules/postcss
node_modules/postcss-color-gray/node_modules/postcss
node_modules/postcss-color-hex-alpha/node_modules/postcss
node_modules/postcss-color-mod-function/node_modules/postcss
node_modules/postcss-color-rebeccapurple/node_modules/postcss
node_modules/postcss-custom-media/node_modules/postcss
node_modules/postcss-custom-properties/node_modules/postcss
node_modules/postcss-custom-selectors/node_modules/postcss
node_modules/postcss-dir-pseudo-class/node_modules/postcss
node_modules/postcss-double-position-gradients/node_modules/postcss
node_modules/postcss-env-function/node_modules/postcss
node_modules/postcss-focus-visible/node_modules/postcss
node_modules/postcss-focus-within/node_modules/postcss
node_modules/postcss-font-variant/node_modules/postcss
node_modules/postcss-gap-properties/node_modules/postcss
node_modules/postcss-image-set-function/node_modules/postcss
node_modules/postcss-initial/node_modules/postcss
node_modules/postcss-lab-function/node_modules/postcss
node_modules/postcss-logical/node_modules/postcss
node_modules/postcss-media-minmax/node_modules/postcss
node_modules/postcss-nesting/node_modules/postcss
node_modules/postcss-overflow-shorthand/node_modules/postcss
node_modules/postcss-page-break/node_modules/postcss
node_modules/postcss-place/node_modules/postcss
node_modules/postcss-preset-env/node_modules/postcss
node_modules/postcss-pseudo-class-any-link/node_modules/postcss
node_modules/postcss-replace-overflow-wrap/node_modules/postcss
node_modules/postcss-selector-matches/node_modules/postcss
node_modules/postcss-selector-not/node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
autoprefixer 1.0.20131222 - 9.8.8
Depends on vulnerable versions of postcss
node_modules/autoprefixer
postcss-preset-env <=7.0.0
Depends on vulnerable versions of autoprefixer
Depends on vulnerable versions of css-blank-pseudo
Depends on vulnerable versions of css-prefers-color-scheme
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-color-gray
Depends on vulnerable versions of postcss-color-mod-function
Depends on vulnerable versions of postcss-double-position-gradients
Depends on vulnerable versions of postcss-focus-visible
Depends on vulnerable versions of postcss-focus-within
Depends on vulnerable versions of postcss-initial
Depends on vulnerable versions of postcss-page-break
node_modules/postcss-preset-env
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of postcss-preset-env
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
css-blank-pseudo <=1.0.0
Depends on vulnerable versions of postcss
node_modules/css-blank-pseudo
css-has-pseudo <=1.0.0
Depends on vulnerable versions of postcss
node_modules/css-has-pseudo
css-prefers-color-scheme <=4.0.0
Depends on vulnerable versions of postcss
node_modules/css-prefers-color-scheme
postcss-attribute-case-insensitive <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-attribute-case-insensitive
postcss-color-functional-notation <=3.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-color-functional-notation
postcss-color-gray >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-gray
postcss-color-hex-alpha 1.3.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-hex-alpha
postcss-color-mod-function *
Depends on vulnerable versions of postcss
node_modules/postcss-color-mod-function
postcss-color-rebeccapurple 1.2.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-rebeccapurple
postcss-custom-media 4.0.0 - 7.0.8
Depends on vulnerable versions of postcss
node_modules/postcss-custom-media
postcss-custom-properties 3.3.0 - 10.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-custom-properties
postcss-custom-selectors 2.3.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-custom-selectors
postcss-dir-pseudo-class <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-dir-pseudo-class
postcss-double-position-gradients <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-double-position-gradients
postcss-env-function <=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-env-function
postcss-focus-visible <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-visible
postcss-focus-within <=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-within
postcss-font-variant 1.2.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-font-variant
postcss-gap-properties <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-gap-properties
postcss-image-set-function <=3.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-image-set-function
postcss-initial <=3.0.4
Depends on vulnerable versions of postcss
node_modules/postcss-initial
postcss-lab-function <=3.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-lab-function
postcss-logical <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-logical
postcss-media-minmax 1.2.0 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-media-minmax
postcss-nesting <=7.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-nesting
postcss-overflow-shorthand <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-overflow-shorthand
postcss-page-break <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-page-break
postcss-place <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-place
postcss-pseudo-class-any-link <=6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-pseudo-class-any-link
postcss-replace-overflow-wrap <=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-replace-overflow-wrap
postcss-selector-matches *
Depends on vulnerable versions of postcss
node_modules/postcss-selector-matches
postcss-selector-not <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-selector-not
resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
之后我启动了npm audit fix --force
现在我有
25 vulnerabilities (3 low, 15 moderate, 7 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
而且我也无法启动项目
An unhandled exception occurred: require() of ES Module /Users/gboutte/Documents/my-project/node_modules/@angular/compiler-cli/bundles/index.js from /Users/gboutte/Documents/my-project/node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack/src/angular_compiler_plugin.js not supported.
Instead change the require of index.js in /Users/gboutte/Documents/my-project/node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack/src/angular_compiler_plugin.js to a dynamic import() which is available in all CommonJS modules.
See "/private/var/folders/yq/67x6zpfj695czhn4sqrwvxp40000gn/T/ng-h8zNpR/angular-errors.log" for further details.
我应该忽略这些错误还是有办法修复它?
我看到漏洞中提到了 postcss,我应该使用 scss 以外的东西吗?
恐怕你只能忍受这些漏洞。 Angular 有一组非常严格的依赖项,在更改这些依赖项的版本时,您已经破坏了您的应用程序。
确保尽可能频繁地更新您的 Angular 项目,因为 Angular 团队会定期更新 Angular 的依赖项以缓解这些问题。
同意 Will Alexander 的观点,我们可能应该暂时忍受这些漏洞并升级到修补它们的新 Angular 13.x.x。从好的方面来说,这些看起来像是大多数人如何使用 Angular 的低风险漏洞(警告:这些是我最好的猜测;如果我是,请其他人插话遗漏了一些东西):
node-forge 看起来它是用来为本地开发服务器(通常是 localhost:4200)创建自签名 SSL 证书的,当你 运行 ng serve.postcss 被构建工具用来解析和修改 CSS (添加供应商前缀等)不确定,但我认为它仍然被 Angular 使用,即使你正在使用 CSS 而不是 SCSS.
所以这两个都只在开发中使用并且没有在生产构建中部署(Prototype Pollution和RegEx DoS会是重大风险)。
此外,如果您使用的是 Angular (v13) 的当前版本,自动化 npm audit fix --force 可能会导致比它解决的问题更多的问题。它从 13.1.2(对于 Angular v13)回滚 @angular-devkit/build-angular 到 0.1101.2(v11-lts,Angular v11 的长期支持)。 v11 构建工具和 v13 代码之间的不匹配可能是导致您尝试 运行.
时出现未处理异常的原因
tl;dr:在没有 npm audit fix 的情况下在 Angular 中开发(在这种情况下!),因为这些漏洞不会部署到生产中。更新到更新的 Angular v13.x.x 有望在不久的将来清理 npm audit。
我更新了 angular cli 并创建了一个新项目,带有路由和 scss。
当我 运行 npm install 我看到:
41 vulnerabilities (4 low, 37 moderate)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
我使用了第一个命令 npm audit fix,它向我展示了这个:
up to date, audited 985 packages in 5s
90 packages are looking for funding
run `npm fund` for details
# npm audit report
node-forge <1.0.0
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change
node_modules/node-forge
selfsigned >=1.1.1
Depends on vulnerable versions of node-forge
node_modules/selfsigned
webpack-dev-server >=2.5.0
Depends on vulnerable versions of selfsigned
node_modules/webpack-dev-server
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of postcss-preset-env
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
@angular-devkit/build-webpack *
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-webpack
postcss <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change
node_modules/autoprefixer/node_modules/postcss
node_modules/css-blank-pseudo/node_modules/postcss
node_modules/css-has-pseudo/node_modules/postcss
node_modules/css-prefers-color-scheme/node_modules/postcss
node_modules/postcss-attribute-case-insensitive/node_modules/postcss
node_modules/postcss-color-functional-notation/node_modules/postcss
node_modules/postcss-color-gray/node_modules/postcss
node_modules/postcss-color-hex-alpha/node_modules/postcss
node_modules/postcss-color-mod-function/node_modules/postcss
node_modules/postcss-color-rebeccapurple/node_modules/postcss
node_modules/postcss-custom-media/node_modules/postcss
node_modules/postcss-custom-properties/node_modules/postcss
node_modules/postcss-custom-selectors/node_modules/postcss
node_modules/postcss-dir-pseudo-class/node_modules/postcss
node_modules/postcss-double-position-gradients/node_modules/postcss
node_modules/postcss-env-function/node_modules/postcss
node_modules/postcss-focus-visible/node_modules/postcss
node_modules/postcss-focus-within/node_modules/postcss
node_modules/postcss-font-variant/node_modules/postcss
node_modules/postcss-gap-properties/node_modules/postcss
node_modules/postcss-image-set-function/node_modules/postcss
node_modules/postcss-initial/node_modules/postcss
node_modules/postcss-lab-function/node_modules/postcss
node_modules/postcss-logical/node_modules/postcss
node_modules/postcss-media-minmax/node_modules/postcss
node_modules/postcss-nesting/node_modules/postcss
node_modules/postcss-overflow-shorthand/node_modules/postcss
node_modules/postcss-page-break/node_modules/postcss
node_modules/postcss-place/node_modules/postcss
node_modules/postcss-preset-env/node_modules/postcss
node_modules/postcss-pseudo-class-any-link/node_modules/postcss
node_modules/postcss-replace-overflow-wrap/node_modules/postcss
node_modules/postcss-selector-matches/node_modules/postcss
node_modules/postcss-selector-not/node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
autoprefixer 1.0.20131222 - 9.8.8
Depends on vulnerable versions of postcss
node_modules/autoprefixer
postcss-preset-env <=7.0.0
Depends on vulnerable versions of autoprefixer
Depends on vulnerable versions of css-blank-pseudo
Depends on vulnerable versions of css-prefers-color-scheme
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-color-gray
Depends on vulnerable versions of postcss-color-mod-function
Depends on vulnerable versions of postcss-double-position-gradients
Depends on vulnerable versions of postcss-focus-visible
Depends on vulnerable versions of postcss-focus-within
Depends on vulnerable versions of postcss-initial
Depends on vulnerable versions of postcss-page-break
node_modules/postcss-preset-env
@angular-devkit/build-angular *
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of postcss-preset-env
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
css-blank-pseudo <=1.0.0
Depends on vulnerable versions of postcss
node_modules/css-blank-pseudo
css-has-pseudo <=1.0.0
Depends on vulnerable versions of postcss
node_modules/css-has-pseudo
css-prefers-color-scheme <=4.0.0
Depends on vulnerable versions of postcss
node_modules/css-prefers-color-scheme
postcss-attribute-case-insensitive <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-attribute-case-insensitive
postcss-color-functional-notation <=3.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-color-functional-notation
postcss-color-gray >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-gray
postcss-color-hex-alpha 1.3.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-hex-alpha
postcss-color-mod-function *
Depends on vulnerable versions of postcss
node_modules/postcss-color-mod-function
postcss-color-rebeccapurple 1.2.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-rebeccapurple
postcss-custom-media 4.0.0 - 7.0.8
Depends on vulnerable versions of postcss
node_modules/postcss-custom-media
postcss-custom-properties 3.3.0 - 10.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-custom-properties
postcss-custom-selectors 2.3.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-custom-selectors
postcss-dir-pseudo-class <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-dir-pseudo-class
postcss-double-position-gradients <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-double-position-gradients
postcss-env-function <=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-env-function
postcss-focus-visible <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-visible
postcss-focus-within <=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-within
postcss-font-variant 1.2.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-font-variant
postcss-gap-properties <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-gap-properties
postcss-image-set-function <=3.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-image-set-function
postcss-initial <=3.0.4
Depends on vulnerable versions of postcss
node_modules/postcss-initial
postcss-lab-function <=3.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-lab-function
postcss-logical <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-logical
postcss-media-minmax 1.2.0 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-media-minmax
postcss-nesting <=7.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-nesting
postcss-overflow-shorthand <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-overflow-shorthand
postcss-page-break <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-page-break
postcss-place <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-place
postcss-pseudo-class-any-link <=6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-pseudo-class-any-link
postcss-replace-overflow-wrap <=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-replace-overflow-wrap
postcss-selector-matches *
Depends on vulnerable versions of postcss
node_modules/postcss-selector-matches
postcss-selector-not <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-selector-not
resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
之后我启动了npm audit fix --force
现在我有
25 vulnerabilities (3 low, 15 moderate, 7 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
而且我也无法启动项目
An unhandled exception occurred: require() of ES Module /Users/gboutte/Documents/my-project/node_modules/@angular/compiler-cli/bundles/index.js from /Users/gboutte/Documents/my-project/node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack/src/angular_compiler_plugin.js not supported.
Instead change the require of index.js in /Users/gboutte/Documents/my-project/node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack/src/angular_compiler_plugin.js to a dynamic import() which is available in all CommonJS modules.
See "/private/var/folders/yq/67x6zpfj695czhn4sqrwvxp40000gn/T/ng-h8zNpR/angular-errors.log" for further details.
我应该忽略这些错误还是有办法修复它? 我看到漏洞中提到了 postcss,我应该使用 scss 以外的东西吗?
恐怕你只能忍受这些漏洞。 Angular 有一组非常严格的依赖项,在更改这些依赖项的版本时,您已经破坏了您的应用程序。
确保尽可能频繁地更新您的 Angular 项目,因为 Angular 团队会定期更新 Angular 的依赖项以缓解这些问题。
同意 Will Alexander 的观点,我们可能应该暂时忍受这些漏洞并升级到修补它们的新 Angular 13.x.x。从好的方面来说,这些看起来像是大多数人如何使用 Angular 的低风险漏洞(警告:这些是我最好的猜测;如果我是,请其他人插话遗漏了一些东西):
node-forge看起来它是用来为本地开发服务器(通常是localhost:4200)创建自签名 SSL 证书的,当你 运行ng serve.postcss被构建工具用来解析和修改 CSS (添加供应商前缀等)不确定,但我认为它仍然被 Angular 使用,即使你正在使用 CSS 而不是 SCSS.
所以这两个都只在开发中使用并且没有在生产构建中部署(Prototype Pollution和RegEx DoS会是重大风险)。
此外,如果您使用的是 Angular (v13) 的当前版本,自动化 npm audit fix --force 可能会导致比它解决的问题更多的问题。它从 13.1.2(对于 Angular v13)回滚 @angular-devkit/build-angular 到 0.1101.2(v11-lts,Angular v11 的长期支持)。 v11 构建工具和 v13 代码之间的不匹配可能是导致您尝试 运行.
tl;dr:在没有 npm audit fix 的情况下在 Angular 中开发(在这种情况下!),因为这些漏洞不会部署到生产中。更新到更新的 Angular v13.x.x 有望在不久的将来清理 npm audit。