最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

javascript - NPM audit warnings - Stack Overflow

programmeradmin2浏览0评论

What am I supposed to do with these warnings, given the libs in question belong to 3rd party libs?

> npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit  for additional guidance


  Low             Denial of Service

  Package         node-fetch

  Patched in      >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9

  Dependency of   aspnet-prerendering

  Path            aspnet-prerendering > domain-task > isomorphic-fetch >
                  node-fetch

  More info       


  Moderate        Regular Expression Denial of Service

  Package         postcss

  Patched in      >=8.2.10

  Dependency of   @angular-devkit/build-angular [dev]

  Path            @angular-devkit/build-angular > resolve-url-loader > postcss

  More info       

found 2 vulnerabilities (1 low, 1 moderate) in 1514 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

I'm not impacted by this. I was just striving for zero warnings on all fronts.

I can't/don't want to fiddle with a dependency's dependency! Do I just need to upgrade my dependency?

What am I supposed to do with these warnings, given the libs in question belong to 3rd party libs?

> npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Low             Denial of Service

  Package         node-fetch

  Patched in      >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9

  Dependency of   aspnet-prerendering

  Path            aspnet-prerendering > domain-task > isomorphic-fetch >
                  node-fetch

  More info       https://npmjs./advisories/1556


  Moderate        Regular Expression Denial of Service

  Package         postcss

  Patched in      >=8.2.10

  Dependency of   @angular-devkit/build-angular [dev]

  Path            @angular-devkit/build-angular > resolve-url-loader > postcss

  More info       https://npmjs./advisories/1693

found 2 vulnerabilities (1 low, 1 moderate) in 1514 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

I'm not impacted by this. I was just striving for zero warnings on all fronts.

I can't/don't want to fiddle with a dependency's dependency! Do I just need to upgrade my dependency?

Share Improve this question edited May 12, 2021 at 2:48 Jevon Kendon asked May 12, 2021 at 2:43 Jevon KendonJevon Kendon 6865 silver badges13 bronze badges 3
  • Not much you can do. You could make a PR on that repo to fix the dependency. How much of an issue is this for you? – DogEatDog Commented May 12, 2021 at 2:45
  • Not impacted. Just striving for zero warnings on all fronts. – Jevon Kendon Commented May 12, 2021 at 2:47
  • 1 That may never be achievable in the JS world. Try to eliminate offending packages if you can or switch to more mainstream/stable ones if possible. There is some acceptable risk to have for certain flavors vulnerabilities. It seems like you're on the right path. – DogEatDog Commented May 12, 2021 at 2:51
Add a ment  | 

3 Answers 3

Reset to default 4

Technically, there is no silver bullet to solve the vulnerabilities report from npm audit. Here is the "Rule of Thumb" I am following:

  • Usually, I always do npm audit fix after npm audit. Note that: this one will not solve all reports.

  • Update my dependencies to the latest stable. Be careful about the patibility. (Hope you understand the SEMVER). The cost you spend to keep your system up to date and stable is always cheaper than the cost you need to spend to handle vulnerable issues.

  • Reduce the number of your dependencies. Note everything you need to use the library. You can build yourself a simpler version.

  • Learn to separate dependencies and dev dependencies. If the issue is reported for a dev tool, you can skip it. As I said above, there is no silver bullet so give yourself relaxation instead of fixing all of them. Just fix the necessary ones.

  • Finally, follow this: https://docs.npmjs./auditing-package-dependencies-for-security-vulnerabilities

You can make your dependencies to use other (current / secure) version of their dependencies.

Let's say you have a warning about postcss package, which I solved a moment ago so I can describe the process and you can proceed analogically.

After npm audit I got a warning like:

  Moderate        Regular Expression Denial of Service                          
  Package         postcss                                                       
  Patched in      >=8.2.10                                                      
  Dependency of   laravel-mix [dev]                                             
  Path            laravel-mix > cssnano > cssnano-preset-default >              
                  postcss-svgo > postcss                                        
  More info       https://npmjs./advisories/1693  

Notice! You have to be aware that when you'll make your package to use a newer version of its dependency it can break things, but it's worth trying.

So you see that the laravel-mix package uses old version of the postcss and that the issue is fixed in version >=8.2.10 of postcss so you want to install a newer version of the postcss package which you can achieve by:

npm install postcss --save-dev

Then you need to add a new section to your package.json file instructing npm that you want dependencies to use your specific version of the library. It goes in my case like this:

{
  "resolutions": {
    "postcss": "^8.2.15",
  }
}

Then you have to add a new script to force npm usage of this new "resolutions" section like this:

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

Notice! You have to run this script every time before running your regular npm install. It goes like this:

npm run preinstall
npm install

More info can be found in the npm docs.

You might just need to edit your package.json, update the version for the offending package to the latest stable version (in this case https://www.npmjs./package/node-fetch), and then run "npm install" from the terminal.

发布评论

评论列表(0)

  1. 暂无评论