[英]postcss 7.0.0 - 8.2.9 Severity: moderate Regular Expression Denial of Service
When creating a new project under create-react-app
, you get warnings straight away regarding a vulnerability found in postcss
.在
create-react-app
下创建新项目时,您会立即收到有关postcss
中发现的漏洞的警告。
Issue reported by npm: https://www.npmjs.com/advisories/1693 npm 报告的问题: https://www.npmjs.com/advisories/1693
Related open issues can be found here:相关的未解决问题可以在这里找到:
The issue has been patched on postcss v8.2.10
, but it's still present when creating new projects as react-scripts
hasn't upgraded the dependency yet.该问题已在
postcss v8.2.10
上修复,但在创建新项目时仍然存在,因为react-scripts
尚未升级依赖项。
So, my problem here is I can no longer run builds as they fail due to the vulnerability.所以,我的问题是我不能再运行构建,因为它们由于漏洞而失败。
Since I can't wait for them to get it patched before to keep working on my stuff (they seem to be aware of it since a year ago), is there some workaround that could be applied to solve it?由于我迫不及待地想让他们在继续处理我的东西之前对其进行修补(他们似乎从一年前就意识到了这一点),是否有一些解决方法可以用来解决它?
I tried adding a postcss
resolution on package.json
:我尝试在
package.json
上添加postcss
分辨率:
"resolutions": {
"postcss": "^8.2.10"
},
but that didn't land me far.但这并没有让我走得太远。
Any idea?任何想法?
This article helped me.这篇文章帮助了我。 https://www.npmjs.com/package/npm-force-resolutions .
https://www.npmjs.com/package/npm-force-resolutions 。 To use resolutions you wrote you should force them by adding this script in
package.json
要使用您编写的分辨率,您应该通过在
package.json
中添加此脚本来强制它们
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
after that run npm install
and it should overwrite all nested dependencies之后运行
npm install
,它应该覆盖所有嵌套的依赖项
Anyway it will not work due many dependencies.无论如何,由于许多依赖项,它不会起作用。 Good news is that support for postcss 8 is already merged and probably will be released soon https://github.com/facebook/create-react-app/issues/9664
好消息是对 postcss 8 的支持已经合并,可能很快就会发布https://github.com/facebook/create-react-app/issues/9664
Switching to Yarn
makes this far simpler.切换到
Yarn
让这件事变得简单多了。
rm -rf ./node_modules
rm ./package-lock.json
edit your package.json
:编辑您的
package.json
:
add any other package versions to upgrade from npm / yarn audit
here also添加任何其他 package 版本以从
npm / yarn audit
也在这里
"resolutions":
{
"postcss": "^8.2.10"
},
yarn install
then running yarn audit
should yield the magic words: yarn install
然后运行yarn audit
应该会产生神奇的词:
0 vulnerabilities found - Packages audited: 999
✨ Done in 1.10s.
I managed to reduce the audit issues down to one moderate vulnerability due to the browserslist
package in my post here:由于
browserslist
列表 package 在我的帖子中,我设法将审计问题减少到一个中等漏洞:
https://stackoverflow.com/a/68046680/1669123 https://stackoverflow.com/a/68046680/1669123
Updating postcss
to version 8.xx in resolutions results in build issues for me.在解决方案中将
postcss
更新到版本 8.xx 会导致我出现构建问题。 I'm a web dev newcomer and guessing version 8 breaking changes for plugins is the culprit.我是 web 开发新手,猜测版本 8 对插件的重大更改是罪魁祸首。 Version 7.0.36 is the latest version 7
postcss
that builds and runs for me.版本 7.0.36 是为我构建和运行的最新版本 7
postcss
。 The changelog states that this version has the ReDoS fix backported from version 8. I can't seem to solve the browserslist
package issue without it causing 'module not found' errors at runtime.更改日志指出此版本具有从版本 8 反向移植的 ReDoS 修复。我似乎无法解决
browserslist
package 问题,而不会在运行时导致“找不到模块”错误。 I'm guessing we'll have to wait on the CRA team to update react-scripts
for a more thorough solution.我猜我们将不得不等待 CRA 团队更新
react-scripts
以获得更彻底的解决方案。
Alternatively, you can solve it using yarn audit instead of npm.或者,您可以使用纱线审计而不是 npm 来解决它。
yarn audit --groups postcss
This command will only ignore postcss package from the security check.此命令只会从安全检查中忽略 postcss package。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.