create-react-app 由于react-scripts包的版本没有更新,导致该包存在关键漏洞,

vhipe2zx  于 5个月前  发布在  React
关注(0)|答案(7)|浏览(64)

描述bug

Yarn审计命令显示immer包存在关键漏洞:

my-app % yarn audit --level critical
yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in immer                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=9.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > react-dev-utils > immer                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1002492                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
115 vulnerabilities found - Packages audited: 1682
Severity: 85 Moderate | 29 High | 1 Critical

react-dev-utils包的package.json文件使用了正确的immer版本。然而,由于react-script包的版本没有更改(在过去的8个月里仍然是4.0.3),因此更新没有发布到npm和yarn的包仓库中。

你是否尝试恢复依赖项?

是的,我尝试了

你在用户指南中搜索了哪些术语?

修复漏洞

环境

Environment Info:

  current version of create-react-app: 4.0.3
  running from /Users/veselov/.npm/_npx/c67e74de0542c87c/node_modules/create-react-app

  System:
    OS: macOS 10.15.7
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
  Binaries:
    Node: 14.15.4 - /usr/local/bin/node
    Yarn: 1.22.10 - ~/homebrew/bin/yarn
    npm: 7.22.0 - ~/homebrew/bin/npm
  Browsers:
    Chrome: 94.0.4606.71
    Edge: Not Found
    Firefox: 91.1.0
    Safari: 15.0
  npmPackages:
    react: ^17.0.2 => 17.0.2 
    react-dom: ^17.0.2 => 17.0.2 
    react-scripts: ^4.0.3 => 4.0.3 
  npmGlobalPackages:
    create-react-app: Not Found

重现步骤

(在这里写下你的步骤:)

  1. 生成my-app
npx create-react-app my-app
cd my-app
  1. 运行审计
yarn audit --level critical

预期行为

不期望有任何关键漏洞

实际行为

如上所述

可复现演示

使用当前版本的create-react-app
可能的安全事件
可能的合规风险

create-react-app

7条答案

按热度按时间
lqfhib0f

lqfhib0f1#

这是一个仅在开发环境中出现的问题,详见 #11174 以获取更多信息。

赞(0)分享  回复(0)举报  5个月前
cuxqih21

cuxqih212#

在4.0.3中还有其他高危漏洞问题被标记。 => 运行npm audit
了解这可能只在开发中出现,但很高兴看到关注,因为很多时候开发代码都会发布以供测试。

赞(0)分享  回复(0)举报  5个月前
7dl7o3gd

7dl7o3gd3#

这个开放项目有任何更新吗?问题仍然存在。

赞(0)分享  回复(0)举报  5个月前
umuewwlo

umuewwlo4#

这个问题已经被自动标记为过时,因为它没有任何最近的活动。如果没有发生任何进一步的活动,它将在5天后被关闭。

赞(0)分享  回复(0)举报  5个月前
velaa5lx

velaa5lx5#

是否可以将它移动到开发依赖项或升级到非易受攻击的版本?

赞(0)分享  回复(0)举报  5个月前
kxe2p93d

kxe2p93d6#

当我使用yarn和npm运行时,我得到了高严重性的报告:

$ yarn audit --level critical
yarn audit v1.22.15
info No lockfile found.
warning @testing-library/jest-dom > css > source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
warning react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
warning react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
warning react-scripts > css-minimizer-webpack-plugin > cssnano > cssnano-preset-default > postcss-svgo > svgo > stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
1 vulnerabilities found - Packages audited: 1230
Severity: 1 High
Done in 25.01s.

$ npm audit
# npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

环境:

$ npx create-react-app --info

Environment Info:

  current version of create-react-app: 5.0.1
  running from /.npm/_npx/c67e74de0542c87c/node_modules/create-react-app

  System:
    OS: Linux 5.15 Ubuntu 20.04.4 LTS (Focal Fossa)
    CPU: (8) x64 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
  Binaries:
    Node: 16.15.1 - ~/.nvm/versions/node/v16.15.1/bin/node
    Yarn: 1.22.15 - ~/.nvm/versions/node/v16.15.1/bin/yarn
    npm: 8.11.0 - ~/.nvm/versions/node/v16.15.1/bin/npm
  Browsers:
    Chrome: 103.0.5060.114
    Firefox: 102.0
  npmPackages:
    react: ^18.2.0 => 18.2.0 
    react-dom: ^18.2.0 => 18.2.0 
    react-scripts: 5.0.1 => 5.0.1 
  npmGlobalPackages:
    create-react-app: Not Found
赞(0)分享  回复(0)举报  5个月前
nue99wik

nue99wik7#

是否可以将它移动到开发依赖项或升级到非易受攻击的版本?
是的,你应该根据 #11174react-scripts 移动到开发依赖项。

赞(0)分享  回复(0)举报  5个月前
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com