logo

脆弱性の問題

12 vulnerabilities (6 moderate, 6 high) npm audit fix --force が効かない 手動で直すしかない。

参考

``npm audit`` を見ながら手動で直していきます。

clip-iconhttps://zenn.dev/kugyu10/articles/d297123ba0eae3

大変助かりました。ありがとうございます。

fast-xml-parser

現状1

 -> npm audit
# npm audit report

fast-xml-parser  <=4.2.3
Severity: high
fast-xml-parser vulnerable to Regex Injection via Doctype Entities - <https://github.com/advisories/GHSA-6w63-h3fj-q4vw>
fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - <https://github.com/advisories/GHSA-x3cc-x39p-42qx>
fix available via `npm audit fix --force`
Will install ogp-parser@0.4.7, which is a breaking change
node_modules/ogp-parser/node_modules/fast-xml-parser
  ogp-parser  >=0.5.1
  Depends on vulnerable versions of fast-xml-parser
  node_modules/ogp-parser

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - <https://github.com/advisories/GHSA-c2qf-rxjj-qqgw>
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

4 vulnerabilities (2 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

-> npm ls fast-xml-parser
noblog@0.1.0 C:\\..\\Doc\\..\\git\\blog
└─┬ ogp-parser@0.8.1
  └── fast-xml-parser@3.21.1

対策1

package-lock.jsonを書き換え

    "node_modules/ogp-parser": {
      "version": "0.8.1",
      "resolved": "<https://registry.npmjs.org/ogp-parser/-/ogp-parser-0.8.1.tgz>",
      "integrity": "sha512-sqBbX6BBX9YlwK5UL8qreV/mts2jKtmHlNJ6cMVLEA59BYuaWCToieUmWg+wxpxZoeCg+pbxWcd5r8wVtstB3g==",
      "dependencies": {
        "cheerio": "^1.0.0-rc.12",
        "fast-xml-parser": "^3.16.0",  // ←OLD
        "fast-xml-parser": "^4.2.4",   // ←NEW ここの行を書き換えただけ。
        "he": "^1.2.0",
        "iconv-lite": "0.5.1",
        "jschardet": "2.1.1"
      }

node_modulesフォルダの削除後、以下を実行

-> npm install

> noblog@0.1.0 prepare
> husky install

husky - Git hooks installed

added 1746 packages, and audited 1747 packages in 26s

369 packages are looking for funding
  run `npm fund` for details

2 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

結果1

-> npm ls fast-xml-parser
noblog@0.1.0 C:\\..\\Doc\\..\\git\\blog
└─┬ ogp-parser@0.8.1
  └── fast-xml-parser@4.2.5    // ←updateできた。

simple-update-notifier

現状2

-> npm audit
# npm audit report

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - <https://github.com/advisories/GHSA-c2qf-rxjj-qqgw>
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

2 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix


-> npm ls semver
noblog@0.1.0 C:\\..\\Doc\\..\\git\\blog
├─┬ @storybook/addon-essentials@7.0.27
│ ├─┬ @storybook/addon-docs@7.0.27
│ │ └─┬ @jest/transform@29.6.1
│ │   └─┬ babel-plugin-istanbul@6.1.1
│ │     └─┬ istanbul-lib-instrument@5.2.1
│ │       └── semver@6.3.1
│ └─┬ @storybook/manager-api@7.0.27
│   └── semver@7.5.4 deduped
├─┬ @storybook/addon-postcss@2.0.0
│ ├─┬ css-loader@3.6.0
│ │ └── semver@6.3.1
│ └─┬ postcss-loader@4.3.0
│   └── semver@7.5.4 deduped
├─┬ @storybook/nextjs@7.0.27
│ ├─┬ @storybook/builder-webpack5@7.0.27
│ │ ├─┬ css-loader@6.8.1
│ │ │ └── semver@7.5.4 deduped
│ │ ├─┬ fork-ts-checker-webpack-plugin@7.3.0
│ │ │ └── semver@7.5.4 deduped
│ │ └── semver@7.5.4 deduped
│ ├─┬ @storybook/preset-react-webpack@7.0.27
│ │ ├─┬ @storybook/react-docgen-typescript-plugin@1.0.6--canary.9.0c3f3b7.0
│ │ │ └─┬ find-cache-dir@3.3.2
│ │ │   └─┬ make-dir@3.1.0
│ │ │     └── semver@6.3.1
│ │ └── semver@7.5.4 deduped
│ ├─┬ css-loader@6.8.1
│ │ └── semver@7.5.4 deduped
│ ├─┬ postcss-loader@7.3.3
│ │ └── semver@7.5.4 deduped
│ └── semver@7.5.4
├─┬ @typescript-eslint/eslint-plugin@6.0.0
│ ├─┬ @typescript-eslint/type-utils@6.0.0
│ │ └─┬ @typescript-eslint/utils@6.0.0
│ │   └── semver@7.5.4 deduped
│ ├─┬ @typescript-eslint/utils@6.0.0
│ │ └── semver@7.5.4 deduped
│ └── semver@7.5.4 deduped
├─┬ @typescript-eslint/parser@6.0.0
│ └─┬ @typescript-eslint/typescript-estree@6.0.0
│   └── semver@7.5.4 deduped
├─┬ eslint-config-next@13.4.10
│ ├─┬ @typescript-eslint/parser@5.62.0
│ │ └─┬ @typescript-eslint/typescript-estree@5.62.0
│ │   └── semver@7.5.4 deduped
│ ├─┬ eslint-plugin-jsx-a11y@6.7.1
│ │ └── semver@6.3.1
│ └─┬ eslint-plugin-react@7.32.2
│   └── semver@6.3.1
├─┬ eslint-plugin-import@2.27.5
│ └── semver@6.3.1
├─┬ eslint-plugin-storybook@0.6.12
│ └─┬ @typescript-eslint/utils@5.61.0
│   ├─┬ @typescript-eslint/typescript-estree@5.61.0
│   │ └── semver@7.5.4 deduped
│   └── semver@7.5.4 deduped
└─┬ storybook@7.0.27
  └─┬ @storybook/cli@7.0.27
    ├─┬ @storybook/codemod@7.0.27
    │ ├─┬ @babel/core@7.21.8
    │ │ └── semver@6.3.1
    │ └─┬ @babel/preset-env@7.21.5
    │   ├─┬ babel-plugin-polyfill-corejs2@0.3.3
    │   │ ├─┬ @babel/helper-define-polyfill-provider@0.3.3
    │   │ │ └── semver@6.3.1 deduped
    │   │ └── semver@6.3.1 deduped
    │   └── semver@6.3.1 deduped
    ├─┬ @storybook/core-server@7.0.27
    │ └── semver@7.5.4 deduped
    ├─┬ jscodeshift@0.14.0
    │ └─┬ @babel/register@7.22.5
    │   └─┬ make-dir@2.1.0
    │     └── semver@5.7.2
    ├─┬ read-pkg-up@7.0.1
    │ └─┬ read-pkg@5.2.0
    │   └─┬ normalize-package-data@2.5.0
    │     └── semver@5.7.2
    ├── semver@7.5.4 deduped
    └─┬ simple-update-notifier@1.1.0
      └── semver@7.0.0                 // ←ここだけが問題

長いがビビることなかれ。

結局、言いたいのは、一番最後の行だけが問題となっているっぽい。

対策2

    "node_modules/simple-update-notifier": {
      "version": "1.1.0",
      "resolved": "<https://registry.npmjs.org/simple-update-notifier/-/simple-update-notifier-1.1.0.tgz>",
      "integrity": "sha512-VpsrsJSUcJEseSbMHkrsrAVSdvVS5I96Qo1QAQ4FxQ9wXFcB+pjj7FB7/us9+GcgfW4ziHtYMc1J0PLczb55mg==",
      "dev": true,
      "dependencies": {
        "semver": "~7.0.0"  // ←OLD
        "semver": "^7.5.2"  // ←NEW この行を変えるだけ
      },
      "engines": {
        "node": ">=8.10.0"
      }
    },

package-lock.jsonでsemverを検索すると沢山出ましたが、

ls した結果から、この箇所を変えれば行けるのでは?と思い、、結果、成功しました!

結果2

PS C:\\..\\Doc\\..\\git\\blog> npm ls semver
noblog@0.1.0 C:\\..\\Doc\\..\\git\\blog
├─┬ @storybook/addon-essentials@7.0.27
│ ├─┬ @storybook/addon-docs@7.0.27
│ │ └─┬ @jest/transform@29.6.1
│ │   └─┬ babel-plugin-istanbul@6.1.1
│ │     └─┬ istanbul-lib-instrument@5.2.1
│ │       └── semver@6.3.1
│ └─┬ @storybook/manager-api@7.0.27
│   └── semver@7.5.4 deduped
├─┬ @storybook/addon-postcss@2.0.0
│ ├─┬ css-loader@3.6.0
│ │ └── semver@6.3.1
│ └─┬ postcss-loader@4.3.0
│   └── semver@7.5.4 deduped
├─┬ @storybook/nextjs@7.0.27
│ ├─┬ @storybook/builder-webpack5@7.0.27
│ │ ├─┬ css-loader@6.8.1
│ │ │ └── semver@7.5.4 deduped
│ │ ├─┬ fork-ts-checker-webpack-plugin@7.3.0
│ │ │ └── semver@7.5.4 deduped
│ │ └── semver@7.5.4 deduped
│ ├─┬ @storybook/preset-react-webpack@7.0.27
│ │ ├─┬ @storybook/react-docgen-typescript-plugin@1.0.6--canary.9.0c3f3b7.0
│ │ │ └─┬ find-cache-dir@3.3.2
│ │ │   └─┬ make-dir@3.1.0
│ │ │     └── semver@6.3.1
│ │ └── semver@7.5.4 deduped
│ ├─┬ css-loader@6.8.1
│ │ └── semver@7.5.4 deduped
│ ├─┬ postcss-loader@7.3.3
│ │ └── semver@7.5.4 deduped
│ └── semver@7.5.4
├─┬ @typescript-eslint/eslint-plugin@6.0.0
│ ├─┬ @typescript-eslint/type-utils@6.0.0
│ │ └─┬ @typescript-eslint/utils@6.0.0
│ │   └── semver@7.5.4 deduped
│ ├─┬ @typescript-eslint/utils@6.0.0
│ │ └── semver@7.5.4 deduped
│ └── semver@7.5.4 deduped
├─┬ @typescript-eslint/parser@6.0.0
│ └─┬ @typescript-eslint/typescript-estree@6.0.0
│   └── semver@7.5.4 deduped
├─┬ eslint-config-next@13.4.10
│ ├─┬ @typescript-eslint/parser@5.62.0
│ │ └─┬ @typescript-eslint/typescript-estree@5.62.0
│ │   └── semver@7.5.4 deduped
│ ├─┬ eslint-plugin-jsx-a11y@6.7.1
│ │ └── semver@6.3.1
│ └─┬ eslint-plugin-react@7.32.2
│   └── semver@6.3.1
├─┬ eslint-plugin-import@2.27.5
│ └── semver@6.3.1
├─┬ eslint-plugin-storybook@0.6.12
│ └─┬ @typescript-eslint/utils@5.61.0
│   ├─┬ @typescript-eslint/typescript-estree@5.61.0
│   │ └── semver@7.5.4 deduped
│   └── semver@7.5.4 deduped
└─┬ storybook@7.0.27
  └─┬ @storybook/cli@7.0.27
    ├─┬ @storybook/codemod@7.0.27
    │ ├─┬ @babel/core@7.21.8
    │ │ └── semver@6.3.1
    │ └─┬ @babel/preset-env@7.21.5
    │   ├─┬ babel-plugin-polyfill-corejs2@0.3.3
    │   │ ├─┬ @babel/helper-define-polyfill-provider@0.3.3
    │   │ │ └── semver@6.3.1 deduped
    │   │ └── semver@6.3.1 deduped
    │   └── semver@6.3.1 deduped
    ├─┬ @storybook/core-server@7.0.27
    │ └── semver@7.5.4 deduped
    ├─┬ jscodeshift@0.14.0
    │ └─┬ @babel/register@7.22.5
    │   └─┬ make-dir@2.1.0
    │     └── semver@5.7.2
    ├─┬ read-pkg-up@7.0.1
    │ └─┬ read-pkg@5.2.0
    │   └─┬ normalize-package-data@2.5.0
    │     └── semver@5.7.2
    ├── semver@7.5.4 deduped
    └─┬ simple-update-notifier@1.1.0
      └── semver@7.5.4 deduped         // ←ここだけ、updateできた!

以下は廃案

ncu -u で package.json を最新に上げるアプローチ。

依存関係が崩れてbuildが通らなくなってしまいました。

clip-iconhttps://rinoguchi.net/2021/11/npm-version-up-and-fix-audit.html