search

shun-harutaro / thaiping

スマホでもパソコンでもタイ語タイピング
https://shun-harutaro.github.io/thaiping/
MIT License
1 stars 0 forks source link

Fixing Vulnerabilities #22

Open shun-harutaro opened 2 years ago

shun-harutaro commented 2 years ago 
❯ npm audit
# npm audit report

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of resolve-url-loader
          node_modules/react-scripts

postcss  <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader
    react-scripts  >=2.1.4
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of resolve-url-loader
    node_modules/react-scripts

8 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
shun-harutaro commented 2 years ago

npm audit fix --force を使うと、react-scripts がダウングレードする。

shun-harutaro commented 2 years ago

https://qiita.com/hibikikudo/items/0af352acac85fce28ec2

問題になってる nth-check と postcss の依存関係を確認してみる

shun-harutaro commented 2 years ago 
❯ npm ls nth-check
thaiping@0.1.0 /home/shun_harutaro/thaiping
└─┬ react-scripts@5.0.0
  ├─┬ @svgr/webpack@5.5.0
  │ └─┬ @svgr/plugin-svgo@5.5.0
  │   └─┬ svgo@1.3.2
  │     └─┬ css-select@2.1.0
  │       └── nth-check@1.0.2
  └─┬ html-webpack-plugin@5.5.0
    └─┬ pretty-error@4.0.0
      └─┬ renderkid@3.0.0
        └─┬ css-select@4.2.1
          └── nth-check@2.0.1
shun-harutaro commented 2 years ago 
❯ npm ls postcss
thaiping@0.1.0 /home/shun_harutaro/thaiping
└─┬ react-scripts@5.0.0
*** omit ***
  ├─┬ css-loader@6.5.1
  ├── postcss@8.4.5
  ├─┬ resolve-url-loader@4.0.0
  │ └── postcss@7.0.39
  └─┬ tailwindcss@3.0.12
    ├─┬ postcss-js@4.0.0
    │ └── postcss@8.4.5 deduped
    ├─┬ postcss-nested@5.0.6
    │ └── postcss@8.4.5 deduped
    └── postcss@8.4.5 deduped
shun-harutaro commented 2 years ago

css-select@2.1.0resolve-url-loader@4.0.0 配下のものだけバージョンが違うのでdeduped がついていない 現在の最新バージョン postcss: 8.4.5 nth-check: 2.0.1

shun-harutaro commented 2 years ago 
❯ npm ls nth-check
thaiping@0.1.0 /home/shun_harutaro/thaiping
└─┬ react-scripts@5.0.0
  ├─┬ @svgr/webpack@5.5.0
  │ └─┬ @svgr/plugin-svgo@5.5.0
  │   └─┬ svgo@1.3.2
  │     └─┬ css-select@2.1.0
  │       └── nth-check@1.0.2 invalid: "^2.0.1" from node_modules/svgo/node_modules/css-select
  └─┬ html-webpack-plugin@5.5.0
    └─┬ pretty-error@4.0.0
      └─┬ renderkid@3.0.0
        └─┬ css-select@4.2.1
          └── nth-check@2.0.1
npm ERR! code ELSPROBLEMS
npm ERR! invalid: nth-check@1.0.2 /home/shun_harutaro/thaiping/node_modules/svgo/node_modules/nth-check

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/shun_harutaro/.npm/_logs/2022-01-13T07_37_45_844Z-debug-0.log

手始めに nth-check から、バージョン書き直すだけだとはじかれる

shun-harutaro commented 2 years ago

npm dedupe したら消えた

shun-harutaro commented 2 years ago

と思ったらまたついた

shun-harutaro commented 2 years ago 
    "node_modules/svgo/node_modules/css-select": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/css-select/-/css-select-2.1.0.tgz",
      "integrity": "sha512-Dqk7LQKpwLoH3VovzZnkzegqNSuAziQyNZUcrdDM401iY+R5NkGBXGmtO05/yaXQziALuPogeG0b7UAgjnTJTQ==",
      "dependencies": {
        //"boolbase": "^1.0.0",
        //"css-what": "^3.2.1",
        //"domutils": "^1.7.0",
        "nth-check": "^2.0.1"
      }
    },

rm -rf node_module して npm install でおけ

shun-harutaro commented 2 years ago

postcss も同様

    "node_modules/resolve-url-loader": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/resolve-url-loader/-/resolve-url-loader-4.0.0.tgz",
      "integrity": "sha512-05VEMczVREcbtT7Bz+C+96eUO5HDNvdthIiMB34t7FcF8ehcu4wC0sSgPUubs3XW2Q3CNLJk/BJrCU9wVRymiA==",
      "dependencies": {
        //"adjust-sourcemap-loader": "^4.0.0",
        //"convert-source-map": "^1.7.0",
        //"loader-utils": "^2.0.0",
        "postcss": "^8.4.5"//"^7.0.35",
        //"source-map": "0.6.1"
      },
shun-harutaro commented 2 years ago

だめです… errorだ

shun-harutaro commented 2 years ago

そもそも、もとのリポジトリが7.0.35 を要求してる https://github.com/bholloway/resolve-url-loader/blob/v4-maintenance/packages/resolve-url-loader/package.json#L41