2

我需要一些帮助来理解和正确纠正我在 Angular 项目上运行 npm 审计(或只是 npm 安装)时看到的漏洞。我刚刚从 Angular v12 更新到 v13,列出了几个漏洞。请注意,我已经运行了“npm install”和“npm update”,但仍然收到这些审计警告。问题是,我不明白我可以通过更新包来修复哪些漏洞,而不会导致 Angular 出现问题。我开始对此进行调查,并注意到我的角度依赖项甚至没有列出 npm 审计调用的旧版本,所以显然我什至不明白这一点。

下面是我在工作区中运行“npm audit”时为 postcss 包显示的 20 多个审计警告的 6 个示例。但是,在我的 package-lock.json 文件中,“@angular-devkit/build-angular”有一个“需要”列表,其中包括:

"postcss": "8.4.4",
"postcss-import": "14.0.2",
"postcss-loader": "6.2.1",
"postcss-preset-env": "6.7.0",

我有很多问题......首先,postcss 被列为 8.4.4,所以我不明白为什么我会根据审计警告安装 8.2.13 之前的版本。但是,审计警告说“路径 @angular-devkit/build-angular > postcss-preset-env > autoprefixer > postcss”...这是否意味着 postcss-preset-env 是使用旧版本的不同包postcss 包作为它自己的依赖项?更重要的是,这是否表明需要旧版本(在这种情况下为 6.7.0),如果我更新此版本或运行审计修复,我没有满足这里的依赖关系?毕竟,没有插入符号 (^6.7.0),所以它似乎表示特定版本。我只是不知道我可以或应该在这里做什么。我解决了其他“高” 与角度无关的漏洞,但我该怎么处理这些漏洞?我可以在不破坏我的应用程序的情况下修复它们吗?什么命令实际上会更新 postcss-preset-env?我是否应该忽略这些警告,因为 Angular 团队已经在他们的版本中审查并继续执行?

 Moderate        Regular Expression Denial of Service in postcss
  Package         postcss
  Patched in      >=8.2.13
  Dependency of   @angular-devkit/build-angular [dev]
  Path            @angular-devkit/build-angular > postcss-preset-env >
                  autoprefixer > postcss
  More info       https://github.com/advisories/GHSA-566m-qj78-rww5


  Moderate        Regular Expression Denial of Service in postcss
  Package         postcss
  Patched in      >=8.2.13
  Dependency of   @angular-devkit/build-angular [dev]
  Path            @angular-devkit/build-angular > postcss-preset-env >
                  css-blank-pseudo > postcss
  More info       https://github.com/advisories/GHSA-566m-qj78-rww5


  Moderate        Regular Expression Denial of Service in postcss
  Package         postcss
  Patched in      >=8.2.13
  Dependency of   @angular-devkit/build-angular [dev]
  Path            @angular-devkit/build-angular > postcss-preset-env >
                  css-has-pseudo > postcss
  More info       https://github.com/advisories/GHSA-566m-qj78-rww5


  Moderate        Regular Expression Denial of Service in postcss
  Package         postcss
  Patched in      >=8.2.13
  Dependency of   @angular-devkit/build-angular [dev]
  Path            @angular-devkit/build-angular > postcss-preset-env >
                  css-prefers-color-scheme > postcss
  More info       https://github.com/advisories/GHSA-566m-qj78-rww5


  Moderate        Regular Expression Denial of Service in postcss
  Package         postcss
  Patched in      >=8.2.13
  Dependency of   @angular-devkit/build-angular [dev]
  Path            @angular-devkit/build-angular > postcss-preset-env > postcss
  More info       https://github.com/advisories/GHSA-566m-qj78-rww5

  Moderate        Regular Expression Denial of Service in postcss
  Package         postcss
  Patched in      >=8.2.13
  Dependency of   @angular-devkit/build-angular [dev]
  Path            @angular-devkit/build-angular > postcss-preset-env >
                  postcss-attribute-case-insensitive > postcss
  More info       https://github.com/advisories/GHSA-566m-qj78-rww5
4

0 回答 0