如何修复@vue/cli 漏洞?
[英]How to fix @vue/cli Vulnerabilities?
问题描述
I having vuejs-3 project and I am looking for 0 vulnerabilities.
我有 vuejs-3 项目,我正在寻找 0 个漏洞。 When I do npm install I am getting 48 vulnerabilities with current version node and npm. Even if I try npm audit fix --force still Issue is the same.当我执行 npm 安装时,当前版本节点和 npm 出现 48 个漏洞。即使我尝试 npm audit fix --force 问题仍然相同。 Can someone help me please?有谁可以帮助我吗?
C:\Users\achalapa\git\cnsr-odrplat-wcm-cld-vue\mcafee-consumer-wcm-cld-vue.lib> npm install
-npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
-npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
-npm WARN deprecated har-validator@5.1.5: this library is no longer supported
-npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
-npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
-npm WARN deprecated html-webpack-plugin@3.2.0: 3.x is no longer supported
-npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
-npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
-npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
-npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
-added 923 packages, and audited 1694 packages in 4m
-105 packages are looking for funding
run `npm fund` for details
-48 moderate severity vulnerabilities
-To address issues that do not require attention, run:
npm audit fix
-To address all issues (including breaking changes), run:
npm audit fix --force
48 Vulnerabilities are coming out when we add below packages 48 当我们添加以下软件包时会出现漏洞
*"@vue/cli-plugin-babel": "~4.5.13",
"@vue/cli-plugin-typescript": "~4.5.13",
"@vue/cli-plugin-vuex": "~4.5.13",
"@vue/cli-service": "4.5.13",*
Is this okay to proceed?这样可以继续吗? Is this harmful for my project?这对我的项目有害吗?
package.json package.json
{
"name": "mcafee-consumer-wcm-cld-vue.lib",
"version": "1.0.0",
"private": true,
"sideEffects": false,
"scripts": {
"bundle": "set NODE_ENV=production && npm run lint && webpack --config webpack.dlp.js --progress --mode=production",
"bundle-dev": "set NODE_ENV=development && npm run lint && webpack --config webpack.dlp.js --progress --mode=development",
"lint": "eslint . --ext .ts,.js --ignore-pattern src/**/*.d.ts",
"lint-and-fix": "eslint . --ext .ts --fix"
},
"dependencies": {
"@vuelidate/core": "^2.0.0-alpha.18",
"bootstrap": "^5.0.1",
"core-js": "^3.13.0",
"intersection-observer": "^0.12.0",
"vue": "^3.0.0",
"vuex": "^4.0.0-0",
"whatwg-fetch": "^3.6.2"
},
"devDependencies": {
"@babel/core": "^7.14.3",
"@babel/plugin-syntax-dynamic-import": "^7.8.3",
"@babel/plugin-transform-arrow-functions": "^7.13.0",
"@babel/plugin-transform-runtime": "^7.14.3",
"@babel/preset-env": "^7.14.2",
"@babel/preset-typescript": "^7.13.0",
"@types/bootstrap": "^5.0.15",
"@types/core-js": "^2.5.4",
"@types/lodash": "^4.14.170",
"@typescript-eslint/eslint-plugin": "^4.25.0",
"@typescript-eslint/eslint-plugin-tslint": "^4.25.0",
"@typescript-eslint/parser": "^4.25.0",
"@vue/cli-plugin-babel": "~4.5.13",
"@vue/cli-plugin-typescript": "~4.5.13",
"@vue/cli-plugin-vuex": "~4.5.13",
"@vue/cli-service": "4.5.13",
"@vue/compiler-sfc": "^3.0.11",
"@vue/eslint-config-prettier": "^6.0.0",
"@vue/eslint-config-typescript": "^7.0.0",
"babel-loader": "^8.2.2",
"babel-preset-typescript-vue3": "^2.0.12",
"clean-webpack-plugin": "^3.0.0",
"eslint": "^7.27.0",
"eslint-config-prettier": "^8.3.0",
"eslint-loader": "^4.0.2",
"eslint-plugin-jsdoc": "^35.0.0",
"eslint-plugin-prettier": "^3.4.0",
"eslint-plugin-vue": "^7.9.0",
"fork-ts-checker-webpack-plugin": "^3.1.1",
"html-webpack-plugin": "^5.3.1",
"prettier": "^2.3.0",
"terser-webpack-plugin": "^5.1.2",
"ts-loader": "^9.2.2",
"tslint": "^6.1.3",
"typescript": "^4.3.2",
"typescript-tslint-plugin": "^1.0.1",
"vue-loader": "^16.2.0",
"webpack": "^5.37.1",
"webpack-bundle-analyzer": "^4.4.2",
"webpack-cli": "^4.7.0",
"webpack-merge": "^4.1.4"
}
}
4 个解决方案
解决方案1
16 2021-06-02 13:32:15
If all vulnerabilities are coming only from those 4 packages - ie.如果所有漏洞都仅来自这 4 个软件包 - 即。 vue/cli, than you can safely ignore it as only place where this code will be executed is on your own machine during development and build. vue/cli,而不是您可以放心地忽略它,因为在开发和构建期间,执行此代码的唯一位置是在您自己的机器上。 If we agree that we trust the creators of Vue CLI that they do not use those vulnerable packages in a way harmful to their customers (developers using Vue CLI), we can safely ignore those warnings as no code from these packages will be included in the app bundle....如果我们同意我们信任 Vue CLI 的创建者,他们不会以对客户(使用 Vue CLI 的开发人员)有害的方式使用这些易受攻击的包,我们可以放心地忽略这些警告,因为这些包中的任何代码都不会包含在应用程序包....
What interests you is only vuln.你感兴趣的只是 vuln。 of packages included in dependencies part of package.json as this is code that will make it to the final app bundle and will be downloaded and executed by our users/customers package.json的dependencies项部分中包含的包的数量,因为这是将使其成为最终应用程序包的代码,并将由我们的用户/客户下载和执行
Use this command instead: npm audit --only=prod请改用此命令: npm audit --only=prod
解决方案2
0 2022-07-13 01:17:08
npm prune worked for me! npm prune为我工作!
I had an extraneous package installed with npm install @vue/cli -g called subscriptions-transport-ws which was no longer maintained and used a bunch of deprecated packages.我有一个无关的 package 安装了npm install @vue/cli -g称为subscriptions-transport-ws不再维护并使用了一堆已弃用的软件包。
After the prune, I checked and it was gone using npm ls subscriptions-transport-ws .修剪后,我检查并使用npm ls subscriptions-transport-ws消失了。 I also had no vulnerabilities anymore.我也没有弱点了。
解决方案3
0 2023-01-06 15:01:33
For anyone getting vulnerability warnings from @vue/cli :对于从@vue/cli收到漏洞警告的任何人:
@vue/cli is now in maintenance mode and it is recommended to create projects using create-vue @vue/cli现在处于维护模式,建议使用create-vue创建项目
From their site:从他们的网站:
⚠️ Vue CLI is in Maintenance Mode!
For new projects, it is now recommended to use create-vue to scaffold Vite-based projects.
$ npm create vue@3
This should properly deal with the npm audit warnings at which point you should have none from vue.这应该正确处理 npm 审计警告,此时你应该没有来自 vue 的警告。
解决方案4
-2 2021-06-14 14:40:40
Does this happens when you are trying to create the project if so, check system environment variables in windows, my problem was that only one path was added but you need two paths.如果是这样,当您尝试创建项目时是否会发生这种情况,请检查 windows 中的系统环境变量,我的问题是只添加了一个路径但您需要两个路径。 One under User varables for "YourUser" under path.路径下“YourUser”的用户变量下的一个。
C:\Program Files \nodejs\
And second path under System variables also under path系统变量下的第二个路径也在路径下
C:\Program Files \nodejs\
This resolved problem for me, hope it helps!这解决了我的问题,希望它有帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.