postcss 7.0.0 - 8.2.9 严重性:中等正则表达式拒绝服务
[英]postcss 7.0.0 - 8.2.9 Severity: moderate Regular Expression Denial of Service
问题描述
When creating a new project under create-react-app , you get warnings straight away regarding a vulnerability found in postcss .
在create-react-app下创建新项目时,您会立即收到有关postcss中发现的漏洞的警告。
Issue reported by npm: https://www.npmjs.com/advisories/1693 npm 报告的问题: https://www.npmjs.com/advisories/1693
Related open issues can be found here:相关的未解决问题可以在这里找到:
- https://github.com/postcss/postcss/issues/1574 https://github.com/postcss/postcss/issues/1574
- https://github.com/facebook/create-react-app/issues/10945 https://github.com/facebook/create-react-app/issues/10945
The issue has been patched on postcss v8.2.10 , but it's still present when creating new projects as react-scripts hasn't upgraded the dependency yet.该问题已在postcss v8.2.10上修复,但在创建新项目时仍然存在,因为react-scripts尚未升级依赖项。
So, my problem here is I can no longer run builds as they fail due to the vulnerability.所以,我的问题是我不能再运行构建,因为它们由于漏洞而失败。
Since I can't wait for them to get it patched before to keep working on my stuff (they seem to be aware of it since a year ago), is there some workaround that could be applied to solve it?由于我迫不及待地想让他们在继续处理我的东西之前对其进行修补(他们似乎从一年前就意识到了这一点),是否有一些解决方法可以用来解决它?
I tried adding a postcss resolution on package.json :我尝试在package.json上添加postcss分辨率:
"resolutions": {
"postcss": "^8.2.10"
},
but that didn't land me far.但这并没有让我走得太远。
Any idea?任何想法?
4 个解决方案
解决方案1
11 已采纳 2021-05-12 11:33:10
This article helped me.这篇文章帮助了我。 https://www.npmjs.com/package/npm-force-resolutions . https://www.npmjs.com/package/npm-force-resolutions 。 To use resolutions you wrote you should force them by adding this script in package.json要使用您编写的分辨率,您应该通过在package.json中添加此脚本来强制它们
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
after that run npm install and it should overwrite all nested dependencies之后运行npm install ,它应该覆盖所有嵌套的依赖项
Anyway it will not work due many dependencies.无论如何,由于许多依赖项,它不会起作用。 Good news is that support for postcss 8 is already merged and probably will be released soon https://github.com/facebook/create-react-app/issues/9664好消息是对 postcss 8 的支持已经合并,可能很快就会发布https://github.com/facebook/create-react-app/issues/9664
解决方案2
1 2021-06-10 01:00:08
Switching to Yarn makes this far simpler.切换到Yarn让这件事变得简单多了。
rm -rf ./node_modules
rm ./package-lock.json
edit your package.json :编辑您的package.json :
add any other package versions to upgrade from npm / yarn audit here also添加任何其他 package 版本以从npm / yarn audit也在这里
"resolutions":
{
"postcss": "^8.2.10"
},
yarn install then running yarn audit should yield the magic words: yarn install然后运行yarn audit应该会产生神奇的词:
0 vulnerabilities found - Packages audited: 999
✨ Done in 1.10s.
解决方案3
0 2021-06-19 14:56:04
I managed to reduce the audit issues down to one moderate vulnerability due to the browserslist package in my post here:由于browserslist列表 package 在我的帖子中,我设法将审计问题减少到一个中等漏洞:
https://stackoverflow.com/a/68046680/1669123 https://stackoverflow.com/a/68046680/1669123
Updating postcss to version 8.xx in resolutions results in build issues for me.在解决方案中将postcss更新到版本 8.xx 会导致我出现构建问题。 I'm a web dev newcomer and guessing version 8 breaking changes for plugins is the culprit.我是 web 开发新手,猜测版本 8 对插件的重大更改是罪魁祸首。 Version 7.0.36 is the latest version 7 postcss that builds and runs for me.版本 7.0.36 是为我构建和运行的最新版本 7 postcss 。 The changelog states that this version has the ReDoS fix backported from version 8. I can't seem to solve the browserslist package issue without it causing 'module not found' errors at runtime.更改日志指出此版本具有从版本 8 反向移植的 ReDoS 修复。我似乎无法解决browserslist package 问题,而不会在运行时导致“找不到模块”错误。 I'm guessing we'll have to wait on the CRA team to update react-scripts for a more thorough solution.我猜我们将不得不等待 CRA 团队更新react-scripts以获得更彻底的解决方案。
解决方案4
-1 2021-05-18 14:47:03
Alternatively, you can solve it using yarn audit instead of npm.或者,您可以使用纱线审计而不是 npm 来解决它。
yarn audit --groups postcss
This command will only ignore postcss package from the security check.此命令只会从安全检查中忽略 postcss package。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.