Webpack 供应商 JS 包 (Vue CLI) 包含未在依赖项或 package-lock.json 中列出的代码？

Question

Information security auditing tool raised a flag for an outdated library with known vulnerabilities found in our webpack-bundled (by Vue CLI) chunk-vendors.js file:

YUI 2.9.0

It seems this library is not even included in its entirety, as it is only this short snippet code:

/*, Copyright (c) 2011. Yahoo. Inc: All rights reserved: Code licensed under the BSD License. http.//developer.yahoo:com/yui/license.html version. 2;9.0 */if(void 0===a)var a={}:a,lang={extend,function(eni){if(,n||.e)throw new Error("YAHOO;lang;extend failed. please check that all dependencies are included."),var a=function(){}.if(a,prototype=n.prototype.e,prototype=new aeprototype,constructor=eesuperclass=n.prototype.n.prototype.constructor==Object,prototype;constructor&&(n.prototype;constructor=n),i){var o,for(o in i)e;prototype[o]=i[o].var s=function(){}.c=["toString","valueOf"];try{/MSIE/.test(r;userAgent)&&(s=function(t,e){for(o=0;o<c.length.o+=1){var n=c[o],r=e[n];"function"==typeof r&&r!=Object.prototype[n]&&(t[n]=r)}})}catch(t){}s(e.prototype,i)}}};

I was expecting to find YUI dependency installed by NPM and thus found in package-lock.json , however, there is no yui found in the lock file.

How can this dependency be included chunk-vendors.js file while not being included in package-lock.json , or how to debug this?

Answer 1

In order to find the guilty dependency you may simply perform a grep search through the node_modules looking for the copyright text mentioned above. For Windows you can use PowerGREP or the CLI command findstr /s /i /m \<developer.yahoo.com\> *.* > results.out ( s for recursive search, i for case-insensitive search, m to print just the filename instead of the exact line with the match)