堆栈内存溢出
  简体   繁体   English

npm漏洞对前端重要吗?

[英]Do npm vulnerabilities matter for front ends?

 原文  2019-08-27 15:44:28       javascript/ node.js/ security/ npm/ single-page-application

问题描述

When running the command 'npm install' or 'npm audit', I usually receive notices of package vulnerabilities. 当运行命令“ npm install”或“ npm audit”时,我通常会收到有关软件包漏洞的通知。 In my case, I'm only using npm packages for a Javascript client that I send to my users as an SPA (single page application). 就我而言,我仅将npm软件包用于以SPA(单页应用程序)发送给用户的Javascript客户端。

Are there ever security vulnerabilities I should be aware of that affect UI/UX implementations of npm, or are these messages exclusively for when npm packages are used on node servers? 我是否应该意识到有哪些安全漏洞会影响npm的UI / UX实现,或者这些消息是否专门针对在节点服务器上使用npm软件包的情况?

Here is an example of when I run 'npm audit': 这是我运行“ npm audit”的示例:

运行命令“ npm audit”的示例

1 个解决方案

解决方案1
 2  2019-08-27 16:30:43

Yes it can matter. 是的,这很重要。

People have attempted to sneak malware via front-end code before. 人们以前曾尝试通过前端代码潜入恶意软件。 So far it has been through infecting ad servers or something similar like an API that uses JSONP. 到目前为止,这是通过感染广告服务器或类似使用JSONP的API的方式进行的。 But it could be done via infecting modules on npm. 但这可以通过在npm上感染模块来完成。

There is a fairly famous case of someone inserting code to steal Bitcoin private keys (allowing them to spend other people's Bitcoins) by modifying the code for the EventStream module. 有一个相当著名的案例,有人通过修改EventStream模块的代码来插入代码以窃取比特币私钥 (从而使他们可以使用他人的比特币)。 It was a fairly subtle and long operation involving the hacker first volunteering bug fixes then helping out maintaining the library then finally requesting to become the lead maintainer. 这是一个相当微妙而漫长的操作,涉及到黑客首先自愿修复错误,然后帮助维护数据库,然后最终要求成为首席维护者。

EventStream is a node.js only module so it isn't a front-end thing. EventStream是仅用于node.js的模块,因此它不是前端。 But the possibility exists for someone to silently add code to modify things like Math.random or window.fetch to secretly alter your logic or snoop on your communications. 但是有人可能会悄无声息地添加代码来修改Math.randomwindow.fetch以秘密更改您的逻辑或监听您的通信。

If the vulnerability gets shipped to browser code you should investigate what it is and if it matters to your application. 如果该漏洞已发送到浏览器代码,则应调查它的含义以及它是否与您的应用程序有关。

If the vulnerability only affect developer tooling (for example a css pre-processor or a build system like gulp ) then it doesn't matter because it only gets executed when you build or debug your project. 如果该漏洞仅影响开发人员工具(例如css预处理器或gulp类的构建系统),则没有关系,因为仅在构建或调试项目时才执行该漏洞。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 手动修复 NPM 中的漏洞 - Fix vulnerabilities in NPM manually NPM 审计漏洞 - NPM audit vulnerabilities 如何解决 NPM 审计漏洞? - How to resolve NPM audit vulnerabilities? create-react-app 安装有报告的 NPM 漏洞,我应该做些什么吗? - create-react-app installs with reported NPM vulnerabilities, should I do something? 验证javascript前端 - authenticate javascript front ends 微前端 - 方法 - Micro Front Ends - Approach `npm install`以“Killed”结尾 - `npm install` ends with “Killed” 如何修复 NPM 高危漏洞? (污染) - How to fix NPM high severity vulnerabilities? (Pollution) Npm 包安装问题(发现 23 个漏洞) - Npm Package Install Problem (found 23 vulnerabilities) npm install 命令中显示了一些漏洞 - some vulnerabilities are shown in npm install command
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM