脆弱性の問題
12 vulnerabilities (6 moderate, 6 high)
npm audit fix --force が効かない
手動で直すしかない。
参考
``npm audit`` を見ながら手動で直していきます。
大変助かりました。ありがとうございます。
fast-xml-parser
現状1
-> npm audit
# npm audit report
fast-xml-parser <=4.2.3
Severity: high
fast-xml-parser vulnerable to Regex Injection via Doctype Entities - <https://github.com/advisories/GHSA-6w63-h3fj-q4vw>
fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - <https://github.com/advisories/GHSA-x3cc-x39p-42qx>
fix available via `npm audit fix --force`
Will install ogp-parser@0.4.7, which is a breaking change
node_modules/ogp-parser/node_modules/fast-xml-parser
ogp-parser >=0.5.1
Depends on vulnerable versions of fast-xml-parser
node_modules/ogp-parser
semver 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - <https://github.com/advisories/GHSA-c2qf-rxjj-qqgw>
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
simple-update-notifier 1.0.7 - 1.1.0
Depends on vulnerable versions of semver
node_modules/simple-update-notifier
4 vulnerabilities (2 moderate, 2 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
-> npm ls fast-xml-parser
noblog@0.1.0 C:\\..\\Doc\\..\\git\\blog
└─┬ ogp-parser@0.8.1
└── fast-xml-parser@3.21.1
対策1
package-lock.jsonを書き換え
"node_modules/ogp-parser": {
"version": "0.8.1",
"resolved": "<https://registry.npmjs.org/ogp-parser/-/ogp-parser-0.8.1.tgz>",
"integrity": "sha512-sqBbX6BBX9YlwK5UL8qreV/mts2jKtmHlNJ6cMVLEA59BYuaWCToieUmWg+wxpxZoeCg+pbxWcd5r8wVtstB3g==",
"dependencies": {
"cheerio": "^1.0.0-rc.12",
"fast-xml-parser": "^3.16.0", // ←OLD
"fast-xml-parser": "^4.2.4", // ←NEW ここの行を書き換えただけ。
"he": "^1.2.0",
"iconv-lite": "0.5.1",
"jschardet": "2.1.1"
}
node_modulesフォルダの削除後、以下を実行
-> npm install
> noblog@0.1.0 prepare
> husky install
husky - Git hooks installed
added 1746 packages, and audited 1747 packages in 26s
369 packages are looking for funding
run `npm fund` for details
2 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Run `npm audit` for details.
結果1
-> npm ls fast-xml-parser
noblog@0.1.0 C:\\..\\Doc\\..\\git\\blog
└─┬ ogp-parser@0.8.1
└── fast-xml-parser@4.2.5 // ←updateできた。
simple-update-notifier
現状2
-> npm audit
# npm audit report
semver 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - <https://github.com/advisories/GHSA-c2qf-rxjj-qqgw>
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
simple-update-notifier 1.0.7 - 1.1.0
Depends on vulnerable versions of semver
node_modules/simple-update-notifier
2 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
-> npm ls semver
noblog@0.1.0 C:\\..\\Doc\\..\\git\\blog
├─┬ @storybook/addon-essentials@7.0.27
│ ├─┬ @storybook/addon-docs@7.0.27
│ │ └─┬ @jest/transform@29.6.1
│ │ └─┬ babel-plugin-istanbul@6.1.1
│ │ └─┬ istanbul-lib-instrument@5.2.1
│ │ └── semver@6.3.1
│ └─┬ @storybook/manager-api@7.0.27
│ └── semver@7.5.4 deduped
├─┬ @storybook/addon-postcss@2.0.0
│ ├─┬ css-loader@3.6.0
│ │ └── semver@6.3.1
│ └─┬ postcss-loader@4.3.0
│ └── semver@7.5.4 deduped
├─┬ @storybook/nextjs@7.0.27
│ ├─┬ @storybook/builder-webpack5@7.0.27
│ │ ├─┬ css-loader@6.8.1
│ │ │ └── semver@7.5.4 deduped
│ │ ├─┬ fork-ts-checker-webpack-plugin@7.3.0
│ │ │ └── semver@7.5.4 deduped
│ │ └── semver@7.5.4 deduped
│ ├─┬ @storybook/preset-react-webpack@7.0.27
│ │ ├─┬ @storybook/react-docgen-typescript-plugin@1.0.6--canary.9.0c3f3b7.0
│ │ │ └─┬ find-cache-dir@3.3.2
│ │ │ └─┬ make-dir@3.1.0
│ │ │ └── semver@6.3.1
│ │ └── semver@7.5.4 deduped
│ ├─┬ css-loader@6.8.1
│ │ └── semver@7.5.4 deduped
│ ├─┬ postcss-loader@7.3.3
│ │ └── semver@7.5.4 deduped
│ └── semver@7.5.4
├─┬ @typescript-eslint/eslint-plugin@6.0.0
│ ├─┬ @typescript-eslint/type-utils@6.0.0
│ │ └─┬ @typescript-eslint/utils@6.0.0
│ │ └── semver@7.5.4 deduped
│ ├─┬ @typescript-eslint/utils@6.0.0
│ │ └── semver@7.5.4 deduped
│ └── semver@7.5.4 deduped
├─┬ @typescript-eslint/parser@6.0.0
│ └─┬ @typescript-eslint/typescript-estree@6.0.0
│ └── semver@7.5.4 deduped
├─┬ eslint-config-next@13.4.10
│ ├─┬ @typescript-eslint/parser@5.62.0
│ │ └─┬ @typescript-eslint/typescript-estree@5.62.0
│ │ └── semver@7.5.4 deduped
│ ├─┬ eslint-plugin-jsx-a11y@6.7.1
│ │ └── semver@6.3.1
│ └─┬ eslint-plugin-react@7.32.2
│ └── semver@6.3.1
├─┬ eslint-plugin-import@2.27.5
│ └── semver@6.3.1
├─┬ eslint-plugin-storybook@0.6.12
│ └─┬ @typescript-eslint/utils@5.61.0
│ ├─┬ @typescript-eslint/typescript-estree@5.61.0
│ │ └── semver@7.5.4 deduped
│ └── semver@7.5.4 deduped
└─┬ storybook@7.0.27
└─┬ @storybook/cli@7.0.27
├─┬ @storybook/codemod@7.0.27
│ ├─┬ @babel/core@7.21.8
│ │ └── semver@6.3.1
│ └─┬ @babel/preset-env@7.21.5
│ ├─┬ babel-plugin-polyfill-corejs2@0.3.3
│ │ ├─┬ @babel/helper-define-polyfill-provider@0.3.3
│ │ │ └── semver@6.3.1 deduped
│ │ └── semver@6.3.1 deduped
│ └── semver@6.3.1 deduped
├─┬ @storybook/core-server@7.0.27
│ └── semver@7.5.4 deduped
├─┬ jscodeshift@0.14.0
│ └─┬ @babel/register@7.22.5
│ └─┬ make-dir@2.1.0
│ └── semver@5.7.2
├─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.2
├── semver@7.5.4 deduped
└─┬ simple-update-notifier@1.1.0
└── semver@7.0.0 // ←ここだけが問題
長いがビビることなかれ。
結局、言いたいのは、一番最後の行だけが問題となっているっぽい。
対策2
"node_modules/simple-update-notifier": {
"version": "1.1.0",
"resolved": "<https://registry.npmjs.org/simple-update-notifier/-/simple-update-notifier-1.1.0.tgz>",
"integrity": "sha512-VpsrsJSUcJEseSbMHkrsrAVSdvVS5I96Qo1QAQ4FxQ9wXFcB+pjj7FB7/us9+GcgfW4ziHtYMc1J0PLczb55mg==",
"dev": true,
"dependencies": {
"semver": "~7.0.0" // ←OLD
"semver": "^7.5.2" // ←NEW この行を変えるだけ
},
"engines": {
"node": ">=8.10.0"
}
},
package-lock.jsonでsemver
を検索すると沢山出ましたが、
ls
した結果から、この箇所を変えれば行けるのでは?と思い、、結果、成功しました!
結果2
PS C:\\..\\Doc\\..\\git\\blog> npm ls semver
noblog@0.1.0 C:\\..\\Doc\\..\\git\\blog
├─┬ @storybook/addon-essentials@7.0.27
│ ├─┬ @storybook/addon-docs@7.0.27
│ │ └─┬ @jest/transform@29.6.1
│ │ └─┬ babel-plugin-istanbul@6.1.1
│ │ └─┬ istanbul-lib-instrument@5.2.1
│ │ └── semver@6.3.1
│ └─┬ @storybook/manager-api@7.0.27
│ └── semver@7.5.4 deduped
├─┬ @storybook/addon-postcss@2.0.0
│ ├─┬ css-loader@3.6.0
│ │ └── semver@6.3.1
│ └─┬ postcss-loader@4.3.0
│ └── semver@7.5.4 deduped
├─┬ @storybook/nextjs@7.0.27
│ ├─┬ @storybook/builder-webpack5@7.0.27
│ │ ├─┬ css-loader@6.8.1
│ │ │ └── semver@7.5.4 deduped
│ │ ├─┬ fork-ts-checker-webpack-plugin@7.3.0
│ │ │ └── semver@7.5.4 deduped
│ │ └── semver@7.5.4 deduped
│ ├─┬ @storybook/preset-react-webpack@7.0.27
│ │ ├─┬ @storybook/react-docgen-typescript-plugin@1.0.6--canary.9.0c3f3b7.0
│ │ │ └─┬ find-cache-dir@3.3.2
│ │ │ └─┬ make-dir@3.1.0
│ │ │ └── semver@6.3.1
│ │ └── semver@7.5.4 deduped
│ ├─┬ css-loader@6.8.1
│ │ └── semver@7.5.4 deduped
│ ├─┬ postcss-loader@7.3.3
│ │ └── semver@7.5.4 deduped
│ └── semver@7.5.4
├─┬ @typescript-eslint/eslint-plugin@6.0.0
│ ├─┬ @typescript-eslint/type-utils@6.0.0
│ │ └─┬ @typescript-eslint/utils@6.0.0
│ │ └── semver@7.5.4 deduped
│ ├─┬ @typescript-eslint/utils@6.0.0
│ │ └── semver@7.5.4 deduped
│ └── semver@7.5.4 deduped
├─┬ @typescript-eslint/parser@6.0.0
│ └─┬ @typescript-eslint/typescript-estree@6.0.0
│ └── semver@7.5.4 deduped
├─┬ eslint-config-next@13.4.10
│ ├─┬ @typescript-eslint/parser@5.62.0
│ │ └─┬ @typescript-eslint/typescript-estree@5.62.0
│ │ └── semver@7.5.4 deduped
│ ├─┬ eslint-plugin-jsx-a11y@6.7.1
│ │ └── semver@6.3.1
│ └─┬ eslint-plugin-react@7.32.2
│ └── semver@6.3.1
├─┬ eslint-plugin-import@2.27.5
│ └── semver@6.3.1
├─┬ eslint-plugin-storybook@0.6.12
│ └─┬ @typescript-eslint/utils@5.61.0
│ ├─┬ @typescript-eslint/typescript-estree@5.61.0
│ │ └── semver@7.5.4 deduped
│ └── semver@7.5.4 deduped
└─┬ storybook@7.0.27
└─┬ @storybook/cli@7.0.27
├─┬ @storybook/codemod@7.0.27
│ ├─┬ @babel/core@7.21.8
│ │ └── semver@6.3.1
│ └─┬ @babel/preset-env@7.21.5
│ ├─┬ babel-plugin-polyfill-corejs2@0.3.3
│ │ ├─┬ @babel/helper-define-polyfill-provider@0.3.3
│ │ │ └── semver@6.3.1 deduped
│ │ └── semver@6.3.1 deduped
│ └── semver@6.3.1 deduped
├─┬ @storybook/core-server@7.0.27
│ └── semver@7.5.4 deduped
├─┬ jscodeshift@0.14.0
│ └─┬ @babel/register@7.22.5
│ └─┬ make-dir@2.1.0
│ └── semver@5.7.2
├─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.2
├── semver@7.5.4 deduped
└─┬ simple-update-notifier@1.1.0
└── semver@7.5.4 deduped // ←ここだけ、updateできた!
以下は廃案
ncu -u
で package.json を最新に上げるアプローチ。
依存関係が崩れてbuildが通らなくなってしまいました。