반응형
문제
vue.js 프로젝트를 npm i로 실행시 오류사항이 발견되어 수정 하는 방법을 정리하고자 합니다.
console
PS C:\workspace\test-project1> npm i
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules\watchpack-chokidar2\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules\webpack-dev-server\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
audited 1462 packages in 7.89s
86 packages are looking for funding
run `npm fund` for details
found 28 vulnerabilities (2 low, 5 moderate, 19 high, 2 critical)
run `npm audit fix` to fix them, or `npm audit` for details설명
npm 설치할 때 발생한 오류 내용입니다.
28개의 취약점이 발견되었고 2 low, 5 moderate, 19 high, 2 critical 으로 기록되어있다.
오류 내용대로 npm audit fix를 실행하겠습니다.
해결1. npm fix 실행
npm audit fix확인
PS C:\workspace\test-project1> npm audit fix
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules\watchpack-chokidar2\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules\webpack-dev-server\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
updated 1 package in 8.98s
86 packages are looking for funding
run `npm fund` for details
fixed 5 of 28 vulnerabilities in 1462 scanned packages
2 vulnerabilities required manual review and could not be updated
5 package updates for 21 vulnerabilities involved breaking changes
(use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)오류가 수정되지 않았습니다. 오류내용대로 npm audit 를 이용해서 취약점을 확인해보도록 하겠습니다.
취약점 목록 확인
npm auditnpm audit을 호출하여 취약점 목록 확인합니다.
=== npm audit security report ===
# Run npm install --save-dev @vue/cli-plugin-babel@5.0.8 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
High Regular expression denial of service in glob-parent
Package glob-parent
Dependency of @vue/cli-plugin-babel [dev]
Path @vue/cli-plugin-babel > webpack > watchpack >
watchpack-chokidar2 > chokidar > glob-parent
More info https://github.com/advisories/GHSA-ww39-953v-wcq6
# Run npm install --save-dev @vue/cli-plugin-eslint@5.0.8 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
High Regular expression denial of service in glob-parent
Package glob-parent
Dependency of @vue/cli-plugin-eslint [dev]
Path @vue/cli-plugin-eslint > globby > fast-glob > glob-parent
More info https://github.com/advisories/GHSA-ww39-953v-wcq6
# Run npm install --save-dev @vue/cli-service@5.0.8 to resolve 11 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
High Regular expression denial of service in glob-parent
Package glob-parent
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > copy-webpack-plugin > glob-parent
More info https://github.com/advisories/GHSA-ww39-953v-wcq6
High Regular expression denial of service in glob-parent
Package glob-parent
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > webpack-dev-server > chokidar >
glob-parent
More info https://github.com/advisories/GHSA-ww39-953v-wcq6
Moderate Open Redirect in node-forge
Package node-forge
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > webpack-dev-server > selfsigned >
node-forge
More info https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Low Prototype Pollution in node-forge debug API.
Package node-forge
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > webpack-dev-server > selfsigned >
node-forge
More info https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Low URL parsing in node-forge could lead to undesired behavior.
Package node-forge
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > webpack-dev-server > selfsigned >
node-forge
More info https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Moderate Improper Verification of Cryptographic Signature in
`node-forge`
Package node-forge
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > webpack-dev-server > selfsigned >
node-forge
More info https://github.com/advisories/GHSA-2r2c-g63r-vccr
High Improper Verification of Cryptographic Signature in
node-forge
Package node-forge
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > webpack-dev-server > selfsigned >
node-forge
More info https://github.com/advisories/GHSA-x4jg-mjrx-434g
High Improper Verification of Cryptographic Signature in
node-forge
Package node-forge
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > webpack-dev-server > selfsigned >
node-forge
More info https://github.com/advisories/GHSA-cfm4-qjh2-4765
Critical Template injection in ejs
Package ejs
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > webpack-bundle-analyzer > ejs
More info https://github.com/advisories/GHSA-phwq-j96m-2c2q
High Inefficient Regular Expression Complexity in nth-check
Package nth-check
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > cssnano > cssnano-preset-default >
postcss-svgo > svgo > css-select > nth-check
More info https://github.com/advisories/GHSA-rp65-9cf3-cjxr
High Inefficient Regular Expression Complexity in nth-check
Package nth-check
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > @intervolga/optimize-cssnano-plugin >
cssnano > cssnano-preset-default > postcss-svgo > svgo >
css-select > nth-check
More info https://github.com/advisories/GHSA-rp65-9cf3-cjxr
# Run npm install --save-dev node-sass@7.0.1 to resolve 7 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate Improper Certificate Validation in node-sass
Package node-sass
Dependency of node-sass [dev]
Path node-sass
More info https://github.com/advisories/GHSA-r8f7-9pfq-mjmv
High Arbitrary File Creation/Overwrite on Windows via
insufficient relative path sanitization
Package tar
Dependency of node-sass [dev]
Path node-sass > node-gyp > tar
More info https://github.com/advisories/GHSA-5955-9wpr-37jh
High Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning using symbolic
links
Package tar
Dependency of node-sass [dev]
Path node-sass > node-gyp > tar
More info https://github.com/advisories/GHSA-qq89-hq3f-393p
High Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning using symbolic
links
Package tar
Dependency of node-sass [dev]
Path node-sass > node-gyp > tar
More info https://github.com/advisories/GHSA-9r2w-394v-53qc
High Arbitrary File Creation/Overwrite due to insufficient
absolute path sanitization
Package tar
Dependency of node-sass [dev]
Path node-sass > node-gyp > tar
More info https://github.com/advisories/GHSA-3jfq-g458-7qm9
High Uncontrolled Resource Consumption in trim-newlines
Package trim-newlines
Dependency of node-sass [dev]
Path node-sass > meow > trim-newlines
More info https://github.com/advisories/GHSA-7p7h-4mm5-852v
High Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning
Package tar
Dependency of node-sass [dev]
Path node-sass > node-gyp > tar
More info https://github.com/advisories/GHSA-r628-mhmh-qjhw
# Run npm install swiper@8.3.0 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
Critical Prototype Pollution in swiper
Package swiper
Dependency of swiper
Path swiper
More info https://github.com/advisories/GHSA-p3hc-fv2j-rp68
# Run npm update ansi-regex --depth 8 to resolve 5 vulnerabilities
High Inefficient Regular Expression Complexity in
chalk/ansi-regex
Package ansi-regex
Dependency of eslint [dev]
Path eslint > strip-ansi > ansi-regex
More info https://github.com/advisories/GHSA-93q8-gq69-wqmw
High Inefficient Regular Expression Complexity in
chalk/ansi-regex
Package ansi-regex
Dependency of @vue/cli-plugin-babel [dev]
Path @vue/cli-plugin-babel > @vue/cli-shared-utils > ora >
strip-ansi > ansi-regex
More info https://github.com/advisories/GHSA-93q8-gq69-wqmw
High Inefficient Regular Expression Complexity in
chalk/ansi-regex
Package ansi-regex
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > @vue/cli-plugin-router >
@vue/cli-shared-utils > ora > strip-ansi > ansi-regex
More info https://github.com/advisories/GHSA-93q8-gq69-wqmw
High Inefficient Regular Expression Complexity in
chalk/ansi-regex
Package ansi-regex
Dependency of node-sass [dev]
Path node-sass > sass-graph > yargs > cliui > string-width >
strip-ansi > ansi-regex
More info https://github.com/advisories/GHSA-93q8-gq69-wqmw
High Inefficient Regular Expression Complexity in
chalk/ansi-regex
Package ansi-regex
Dependency of node-sass [dev]
Path node-sass > sass-graph > yargs > cliui > wrap-ansi >
string-width > strip-ansi > ansi-regex
More info https://github.com/advisories/GHSA-93q8-gq69-wqmw
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Cross-site Scripting in quill
Package quill
Patched in No patch available
Dependency of vue-quill-editor
Path vue-quill-editor > quill
More info https://github.com/advisories/GHSA-4943-9vgg-gr5r
Moderate Regular expression denial of service in scss-tokenizer
Package scss-tokenizer
Patched in No patch available
Dependency of node-sass [dev]
Path node-sass > sass-graph > scss-tokenizer
More info https://github.com/advisories/GHSA-7mwh-4pqv-wmr8
found 28 vulnerabilities (2 low, 5 moderate, 19 high, 2 critical) in 1462 scanned packages
run `npm audit fix` to fix 5 of them.
21 vulnerabilities require semver-major dependency updates.
2 vulnerabilities require manual review. See the full report for details.해결2. npm audit 목록을 확인하여 수정
1. npm install 버전 up
npm audit 에서 취약점 해결 방법 중 npm install을 진행한다.
npm install --save-dev @vue/cli-plugin-babel@5.0.8
npm install --save-dev @vue/cli-plugin-eslint@5.0.8
npm install --save-dev @vue/cli-service@5.0.8
npm install --save-dev node-sass@7.0.1
npm install swiper@8.3.0
npm update ansi-regex --depth 5확인
PS C:\workspace\test-project1> npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Cross-site Scripting in quill
Package quill
Patched in No patch available
Dependency of vue-quill-editor
Path vue-quill-editor > quill
More info https://github.com/advisories/GHSA-4943-9vgg-gr5r
Moderate Regular expression denial of service in scss-tokenizer
Package scss-tokenizer
Patched in No patch available
Dependency of node-sass [dev]
Path node-sass > sass-graph > scss-tokenizer
More info https://github.com/advisories/GHSA-7mwh-4pqv-wmr8
found 2 moderate severity vulnerabilities in 1482 scanned packages
2 vulnerabilities require manual review. See the full report for details.
PS C:\workspace\test-project1>다른 취약점은 다 해결되었고 2개의 수동 검토가 필요하다고 가이드를 준다.
해결3. 수동 검토
quill 수정 > 현재 개발쪽과 논쟁으로 수정 안됨
참고 url : https://github.com/quilljs/quill/issues/3364
Security Issue CVE-2021-3163 · Issue #3364 · quilljs/quill
Hi. I would like to raise a security issue which is described in CVE-2021-3163. Is there any fix for that or do someone know an ETA when that security issue will be fixed? Thanks in advance.
github.com
scss-tokenizer 수정 > 현재 모든 버전에서 안정하지 않음.
All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.
반응형
'vue.js > vue.js 기능' 카테고리의 다른 글
| [vue.js] e-commerce(쇼핑몰) 기반으로 만들어보는 router 정리 (0) | 2023.03.09 |
|---|---|
| [vue.js] CORS 해결 방법 (0) | 2022.07.28 |
| [vue.js] object 데이터 빈값 체크하여 버튼 disabled 제어 (0) | 2022.07.05 |
| [vue.js] select 사용법 및 총 정리(feat. method 호출 및 데이터 제어) (0) | 2022.06.19 |
| [vue.js] 데이터 종류 별(data / object / array) button disabled 정리 (0) | 2022.06.03 |
