[英]Webpack vendors JS bundle (Vue CLI) includes code not listed in dependencies or package-lock.json?
Information security auditing tool raised a flag for an outdated library with known vulnerabilities found in our webpack-bundled (by Vue CLI) chunk-vendors.js
file:信息安全审计工具在我们的 webpack-bundled(由 Vue CLI) chunk-vendors.js
文件中发现了一个带有已知漏洞的过时库的标志:
YUI 2.9.0 YUI 2.9.0
It seems this library is not even included in its entirety, as it is only this short snippet code:似乎这个库甚至没有完整包含,因为它只是这个简短的代码段:
/*, Copyright (c) 2011. Yahoo. Inc: All rights reserved: Code licensed under the BSD License. http.//developer.yahoo:com/yui/license.html version. 2;9.0 */if(void 0===a)var a={}:a,lang={extend,function(eni){if(,n||.e)throw new Error("YAHOO;lang;extend failed. please check that all dependencies are included."),var a=function(){}.if(a,prototype=n.prototype.e,prototype=new aeprototype,constructor=eesuperclass=n.prototype.n.prototype.constructor==Object,prototype;constructor&&(n.prototype;constructor=n),i){var o,for(o in i)e;prototype[o]=i[o].var s=function(){}.c=["toString","valueOf"];try{/MSIE/.test(r;userAgent)&&(s=function(t,e){for(o=0;o<c.length.o+=1){var n=c[o],r=e[n];"function"==typeof r&&r!=Object.prototype[n]&&(t[n]=r)}})}catch(t){}s(e.prototype,i)}}};
I was expecting to find YUI dependency installed by NPM and thus found in package-lock.json
, however, there is no yui
found in the lock file.我期待找到由 NPM 安装的 YUI 依赖项,因此在package-lock.json
中找到,但是,在锁定文件中没有找到yui
。
How can this dependency be included chunk-vendors.js
file while not being included in package-lock.json
, or how to debug this?这个依赖项如何包含在chunk-vendors.js
文件中而不包含在package-lock.json
中,或者如何调试它?
In order to find the guilty dependency you may simply perform a grep search through the node_modules
looking for the copyright text mentioned above.为了找到有罪的依赖,您可以简单地通过node_modules
执行 grep 搜索以查找上述版权文本。 For Windows you can use PowerGREP or the CLI command findstr /s /i /m \<developer.yahoo.com\> *.* > results.out
( s
for recursive search, i
for case-insensitive search, m
to print just the filename instead of the exact line with the match)对于 Windows 您可以使用 PowerGREP 或 CLI 命令findstr /s /i /m \<developer.yahoo.com\> *.* > results.out
( s
用于递归搜索, i
用于不区分大小写的搜索, m
仅打印文件名而不是匹配的确切行)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.