【发布时间】:2021-12-29 20:35:28
【问题描述】:
在我的 react 项目中,当我运行 npm 审计时,我遇到了以下严重漏洞:
immer <=9.0.5
Severity: critical
Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h
Prototype Pollution in immer - https://github.com/advisories/GHSA-9qmh-276g-x5pj
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change
node_modules/react-dev-utils/node_modules/immer
react-dev-utils 0.4.0 - 12.0.0-next.60
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
node_modules/react-dev-utils
react-scripts >=0.8.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of eslint
Depends on vulnerable versions of jest
Depends on vulnerable versions of jest-watch-typeahead
Depends on vulnerable versions of optimize-css-assets-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of terser-webpack-plugin
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
我知道我应该将 immer 版本更新到更高版本,我已经尝试这样做,但关键漏洞仍然存在。奇怪的是,当我查看 package.json 时,我看到的版本是 9.0.6
package.json:
{
"name": "web-app",
"version": "0.1.0",
"private": true,
"dependencies": {
"@testing-library/jest-dom": "^4.2.4",
"@testing-library/react": "^9.5.0",
"@testing-library/user-event": "^7.2.1",
"autosuggest-highlight": "latest",
"axios": "^0.24.0",
"bootstrap": "^4.6.0",
"glob-parent": "^6.0.0",
"immer": "^9.0.6",
"js-cookie": "^2.2.1",
"object-path": "^0.11.8",
"react": "^15.7.0",
"react-alert": "^7.0.3",
"react-bootstrap": "^1.6.4",
"react-bootstrap-autosuggest": "latest",
"react-dom": "^16.14.0",
"react-router": "^5.2.1",
"react-scripts": "3.4.0",
"react-select": "^3.2.0",
"serialize-javascript": "^6.0.0",
"yargs-parser": "^13.1.2"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"eslintConfig": {
"extends": "react-app"
},
"browserslist": {
"production": [
">0.2%",
"not dead",
"not op_mini all"
],
"development": [
"last 1 chrome version",
"last 1 firefox version",
"last 1 safari version"
]
},
"devDependencies": {
"@material-ui/core": "^4.12.3",
"react-alert-template-basic": "^1.0.2",
"react-router-dom": "^5.3.0"
},
"proxy": "http://localhost:$port"
}
在 package-lock json 我看到了 immer 的这些实例:
"immer": {
"version": "9.0.7",
"resolved": "https://registry.npmjs.org/immer/-/immer-9.0.7.tgz",
"integrity": "sha512-KGllzpbamZDvOIxnmJ0jI840g7Oikx58lBPWV0hUh7dtAyZpFqqrBZdKka5GlTwMTZ1Tjc/bKKW4VSFAt6BqMA=="
},
"react-dev-utils": {
"version": "10.2.1",
"resolved": "https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-10.2.1.tgz",
"integrity": "sha512-XxTbgJnYZmxuPtY3y/UV0D8/65NKkmaia4rXzViknVnZeVlklSh8u6TnaEYPfAi/Gh1TP4mEOXHI6jQOPbeakQ==",
"requires": {
"@babel/code-frame": "7.8.3",
"address": "1.1.2",
"browserslist": "4.10.0",
"chalk": "2.4.2",
"cross-spawn": "7.0.1",
"detect-port-alt": "1.1.6",
"escape-string-regexp": "2.0.0",
"filesize": "6.0.1",
"find-up": "4.1.0",
"fork-ts-checker-webpack-plugin": "3.1.1",
"global-modules": "2.0.0",
"globby": "8.0.2",
"gzip-size": "5.1.1",
"immer": "1.10.0",
"inquirer": "7.0.4",
"is-root": "2.1.0",
"loader-utils": "1.2.3",
"open": "^7.0.2",
"pkg-up": "3.1.0",
"react-error-overlay": "^6.0.7",
"recursive-readdir": "2.2.2",
"shell-quote": "1.7.2",
"strip-ansi": "6.0.0",
"text-table": "0.2.0"
},
"immer": {
"version": "1.10.0",
"resolved": "https://registry.npmjs.org/immer/-/immer-1.10.0.tgz",
"integrity": "sha512-O3sR1/opvCDGLEVcvrGTMtLac8GJ5IwZC4puPrLuRj3l7ICKvkmA0vGuU9OW8mV9WIBRnaxp5GJh9IEAaNOoYg=="
},
知道如何解决这个严重漏洞吗?
【问题讨论】: