angular - Angular 新项目漏洞

Question

我已经更新了 angular cli 并创建了一个带有路由和 scss 的新项目。

当我运行 npm install 我看到：

41 vulnerabilities (4 low, 37 moderate)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

我使用了第一个命令npm audit fix，它向我展示了这个：

up to date, audited 985 packages in 5s

90 packages are looking for funding
  run `npm fund` for details

# npm audit report

node-forge  <1.0.0
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change
node_modules/node-forge
  selfsigned  >=1.1.1
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned
    webpack-dev-server  >=2.5.0
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of @angular-devkit/build-webpack
      Depends on vulnerable versions of postcss-preset-env
      Depends on vulnerable versions of resolve-url-loader
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
      @angular-devkit/build-webpack  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-webpack

postcss  <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change
node_modules/autoprefixer/node_modules/postcss
node_modules/css-blank-pseudo/node_modules/postcss
node_modules/css-has-pseudo/node_modules/postcss
node_modules/css-prefers-color-scheme/node_modules/postcss
node_modules/postcss-attribute-case-insensitive/node_modules/postcss
node_modules/postcss-color-functional-notation/node_modules/postcss
node_modules/postcss-color-gray/node_modules/postcss
node_modules/postcss-color-hex-alpha/node_modules/postcss
node_modules/postcss-color-mod-function/node_modules/postcss
node_modules/postcss-color-rebeccapurple/node_modules/postcss
node_modules/postcss-custom-media/node_modules/postcss
node_modules/postcss-custom-properties/node_modules/postcss
node_modules/postcss-custom-selectors/node_modules/postcss
node_modules/postcss-dir-pseudo-class/node_modules/postcss
node_modules/postcss-double-position-gradients/node_modules/postcss
node_modules/postcss-env-function/node_modules/postcss
node_modules/postcss-focus-visible/node_modules/postcss
node_modules/postcss-focus-within/node_modules/postcss
node_modules/postcss-font-variant/node_modules/postcss
node_modules/postcss-gap-properties/node_modules/postcss
node_modules/postcss-image-set-function/node_modules/postcss
node_modules/postcss-initial/node_modules/postcss
node_modules/postcss-lab-function/node_modules/postcss
node_modules/postcss-logical/node_modules/postcss
node_modules/postcss-media-minmax/node_modules/postcss
node_modules/postcss-nesting/node_modules/postcss
node_modules/postcss-overflow-shorthand/node_modules/postcss
node_modules/postcss-page-break/node_modules/postcss
node_modules/postcss-place/node_modules/postcss
node_modules/postcss-preset-env/node_modules/postcss
node_modules/postcss-pseudo-class-any-link/node_modules/postcss
node_modules/postcss-replace-overflow-wrap/node_modules/postcss
node_modules/postcss-selector-matches/node_modules/postcss
node_modules/postcss-selector-not/node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
  autoprefixer  1.0.20131222 - 9.8.8
  Depends on vulnerable versions of postcss
  node_modules/autoprefixer
    postcss-preset-env  <=7.0.0
    Depends on vulnerable versions of autoprefixer
    Depends on vulnerable versions of css-blank-pseudo
    Depends on vulnerable versions of css-prefers-color-scheme
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-color-gray
    Depends on vulnerable versions of postcss-color-mod-function
    Depends on vulnerable versions of postcss-double-position-gradients
    Depends on vulnerable versions of postcss-focus-visible
    Depends on vulnerable versions of postcss-focus-within
    Depends on vulnerable versions of postcss-initial
    Depends on vulnerable versions of postcss-page-break
    node_modules/postcss-preset-env
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of @angular-devkit/build-webpack
      Depends on vulnerable versions of postcss-preset-env
      Depends on vulnerable versions of resolve-url-loader
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
  css-blank-pseudo  <=1.0.0
  Depends on vulnerable versions of postcss
  node_modules/css-blank-pseudo
  css-has-pseudo  <=1.0.0
  Depends on vulnerable versions of postcss
  node_modules/css-has-pseudo
  css-prefers-color-scheme  <=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/css-prefers-color-scheme
  postcss-attribute-case-insensitive  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-attribute-case-insensitive
  postcss-color-functional-notation  <=3.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-functional-notation
  postcss-color-gray  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-gray
  postcss-color-hex-alpha  1.3.0 - 6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-hex-alpha
  postcss-color-mod-function  *
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-mod-function
  postcss-color-rebeccapurple  1.2.0 - 6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-rebeccapurple
  postcss-custom-media  4.0.0 - 7.0.8
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-media
  postcss-custom-properties  3.3.0 - 10.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-properties
  postcss-custom-selectors  2.3.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-selectors
  postcss-dir-pseudo-class  <=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-dir-pseudo-class
  postcss-double-position-gradients  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-double-position-gradients
  postcss-env-function  <=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-env-function
  postcss-focus-visible  <=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-focus-visible
  postcss-focus-within  <=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-focus-within
  postcss-font-variant  1.2.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-font-variant
  postcss-gap-properties  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-gap-properties
  postcss-image-set-function  <=3.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-image-set-function
  postcss-initial  <=3.0.4
  Depends on vulnerable versions of postcss
  node_modules/postcss-initial
  postcss-lab-function  <=3.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-lab-function
  postcss-logical  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-logical
  postcss-media-minmax  1.2.0 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-media-minmax
  postcss-nesting  <=7.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-nesting
  postcss-overflow-shorthand  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-overflow-shorthand
  postcss-page-break  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-page-break
  postcss-place  <=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-place
  postcss-pseudo-class-any-link  <=6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-pseudo-class-any-link
  postcss-replace-overflow-wrap  <=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-replace-overflow-wrap
  postcss-selector-matches  *
  Depends on vulnerable versions of postcss
  node_modules/postcss-selector-matches
  postcss-selector-not  <=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-selector-not
  resolve-url-loader  0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader

之后我启动了npm audit fix --force

现在我有

25 vulnerabilities (3 low, 15 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

而且我也无法启动该项目

An unhandled exception occurred: require() of ES Module /Users/gboutte/Documents/my-project/node_modules/@angular/compiler-cli/bundles/index.js from /Users/gboutte/Documents/my-project/node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack/src/angular_compiler_plugin.js not supported.
Instead change the require of index.js in /Users/gboutte/Documents/my-project/node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack/src/angular_compiler_plugin.js to a dynamic import() which is available in all CommonJS modules.
See "/private/var/folders/yq/67x6zpfj695czhn4sqrwvxp40000gn/T/ng-h8zNpR/angular-errors.log" for further details.

我应该忽略这些错误还是有办法解决它？我在漏洞中看到了 postcss 的提及，我应该使用除 scss 之外的其他东西吗？

Answer 1

同意 Will Alexander 的观点，我们可能应该暂时忍受这些漏洞并升级到修补它们的新 Angular 13.xx。从好的方面来说，对于大多数人如何使用 Angular，这些看起来像是低风险漏洞（警告：这些是我的最佳猜测；如果我遗漏了什么，请其他人补充）：

• node-forge看起来它用于在localhost:4200运行时为本地开发服务器（通常）创建自签名 SSL 证书ng serve。
• postcss构建工具使用它来解析和修改 CSS（添加供应商前缀等）。不确定，但我认为即使您使用 CSS 而不是 SCSS，Angular 仍然使用它。

因此，这两者都只用于开发，而不是在生产环境中部署（原型污染和 RegEx DoS 将是重大风险）。

npm audit fix --force此外，如果您使用的是当前版本的 Angular (v13) ，自动化可能会导致比它解决的问题更多的问题。它@angular-devkit/build-angular从 13.1.2（对于 Angular v13）回滚到 0.1101.2（v11-lts，对 Angular v11 的长期支持）。v11 构建工具和 v13 代码之间的不匹配可能是导致您尝试运行时出现未处理异常的原因。

tl;dr：在没有（在这种情况下！）的情况下使用 Angular 进行开发，npm audit fix因为这些漏洞不会部署到生产环境中。npm audit更新到较新的 Angular v13.xx 有望在不久的将来清理干净。

Answer 2

恐怕你只需要忍受这些漏洞。Angular 有一组非常严格的依赖项，在更改这些依赖项的版本时，你已经破坏了你的应用程序。

确保尽可能频繁地更新 Angular 项目，因为 Angular 团队会定期更新 Angular 的依赖项以缓解这些问题。