如何处理高度和中等明显的依赖问题?
Posted
技术标签:
【中文标题】如何处理高度和中等明显的依赖问题?【英文标题】:What to do with high and moderate apparent dependencies issue? 【发布时间】:2021-12-15 09:26:20 【问题描述】:我已经运行了“npm audit fix”,我一直忽略警告但它仍然运行良好。现在,它只是无法运行。
我正在使用最新版本的 Angular。它告诉我,我可能需要选择不同的依赖项。我该如何手动执行此操作?显然,因为运行建议的命令并不能解决问题。
谢谢。
# npm audit report
ansi-html *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
No fix available
node_modules/ansi-html
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
@angular-devkit/build-angular <=13.0.0-next.3
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
@angular-devkit/build-webpack <=0.1300.0-next.2
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-webpack
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
No fix available
node_modules/webpack-dev-server/node_modules/cliui/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/wide-align/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/webpack-dev-server/node_modules/cliui/node_modules/strip-ansi
node_modules/webpack-dev-server/node_modules/string-width/node_modules/strip-ansi
node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/strip-ansi
node_modules/wide-align/node_modules/strip-ansi
cliui 4.0.0 - 5.0.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of wrap-ansi
node_modules/webpack-dev-server/node_modules/cliui
yargs 10.1.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of string-width
node_modules/webpack-dev-server/node_modules/yargs
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
@angular-devkit/build-angular <=13.0.0-next.3
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
@angular-devkit/build-webpack <=0.1300.0-next.2
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-webpack
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/webpack-dev-server/node_modules/string-width
node_modules/wide-align/node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/webpack-dev-server/node_modules/wrap-ansi
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
No fix available
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of braces
Depends on vulnerable versions of glob-parent
Depends on vulnerable versions of readdirp
node_modules/webpack-dev-server/node_modules/chokidar
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
@angular-devkit/build-angular <=13.0.0-next.3
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
@angular-devkit/build-webpack <=0.1300.0-next.2
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-webpack
set-value <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
No fix available
node_modules/set-value
cache-base >=0.7.0
Depends on vulnerable versions of set-value
Depends on vulnerable versions of union-value
node_modules/cache-base
base >=0.7.0
Depends on vulnerable versions of cache-base
node_modules/base
snapdragon 0.6.0 - 0.10.1
Depends on vulnerable versions of base
node_modules/snapdragon
braces 2.0.0 - 2.3.2
Depends on vulnerable versions of snapdragon
node_modules/http-proxy-middleware/node_modules/braces
node_modules/webpack-dev-server/node_modules/braces
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of braces
Depends on vulnerable versions of glob-parent
Depends on vulnerable versions of readdirp
node_modules/webpack-dev-server/node_modules/chokidar
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
@angular-devkit/build-angular <=13.0.0-next.3
Depends on vulnerable versions of @angular-devkit/build-webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-angular
@angular-devkit/build-webpack <=0.1300.0-next.2
Depends on vulnerable versions of webpack-dev-server
node_modules/@angular-devkit/build-webpack
expand-brackets 1.0.0 - 2.1.4
Depends on vulnerable versions of snapdragon
node_modules/expand-brackets
extglob 1.0.0 - 2.0.4
Depends on vulnerable versions of snapdragon
node_modules/extglob
micromatch 3.0.0 - 3.1.10
Depends on vulnerable versions of snapdragon
node_modules/http-proxy-middleware/node_modules/micromatch
node_modules/webpack-dev-server/node_modules/micromatch
anymatch 2.0.0
Depends on vulnerable versions of micromatch
node_modules/webpack-dev-server/node_modules/anymatch
http-proxy-middleware 0.18.0 - 0.19.2
Depends on vulnerable versions of micromatch
node_modules/http-proxy-middleware
readdirp 2.2.0 - 2.2.1
Depends on vulnerable versions of micromatch
node_modules/webpack-dev-server/node_modules/readdirp
nanomatch >=0.1.1
Depends on vulnerable versions of snapdragon
node_modules/nanomatch
union-value *
Depends on vulnerable versions of set-value
node_modules/union-value
25 vulnerabilities (6 moderate, 19 high)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
【问题讨论】:
【参考方案1】:对于高危ansi-html 漏洞,您可以尝试按照此处列出的步骤进行操作:
How to override a nested npm sub-dependency with a different package altogether (not just different package version number)?
一般来说,该方法可用于解决出现在您的错误消息中的许多安全漏洞,并且大多数情况下,您只需在package.json 的解决方案部分指定更新的版本号。
【讨论】:
以上是关于如何处理高度和中等明显的依赖问题?的主要内容,如果未能解决你的问题,请参考以下文章
如何处理具有相同分辨率但屏幕高度不同的 Android 设备
如何处理未知的 UILabel 高度及其对 Interface Builder 中标签下方的影响?
我认为适用于 Android 的 Google Chrome 有一个奇怪的视口高度错误,应该修复它。现在,你如何处理它?