postcss 7.0.0 - 8.2.9 严重性:中度正则表达式拒绝服务 [英] postcss 7.0.0 - 8.2.9 Severity: moderate Regular Expression Denial of Service

问题描述

在 create-react-app 下创建新项目时，您会立即收到有关 postcss 中发现的漏洞的警告.

npm 报告的问题:https://www.npmjs.com/advisories/1693

可以在此处找到相关的未决问题:

• https://github.com/postcss/postcss/issues/1574
• https://github.com/facebook/create-react-app/问题/10945

该问题已在 postcss v8.2.10 上修复，但在创建新项目时仍然存在，因为 react-scripts 尚未升级依赖项.>

所以，我的问题是我无法再运行构建，因为它们由于漏洞而失败.

因为我迫不及待地等他们打好补丁才能继续处理我的事情(他们似乎从一年前就意识到了这一点)，是否有一些解决方法可以解决这个问题?

>

我尝试在 package.json 上添加一个 postcss 解析:

解决方案":{postcss":^8.2.10"；},

但这并没有让我失望.

有什么想法吗?

解决方案

这篇文章帮助了我.https://www.npmjs.com/package/npm-force-resolutions.要使用您编写的分辨率，您应该通过在 package.json

中添加此脚本来强制使用它们

脚本":{预安装":npx npm-force-resolutions"}

之后运行 npm install 它应该覆盖所有嵌套的依赖项

无论如何它不会因为很多依赖而工作.好消息是对 postcss 8 的支持已经合并，可能很快就会发布 https://github.com/facebook/create-react-app/issues/9664

When creating a new project under create-react-app, you get warnings straight away regarding a vulnerability found in postcss.

Issue reported by npm: https://www.npmjs.com/advisories/1693

Related open issues can be found here:

• https://github.com/postcss/postcss/issues/1574
• https://github.com/facebook/create-react-app/issues/10945

The issue has been patched on postcss v8.2.10, but it's still present when creating new projects as react-scripts hasn't upgraded the dependency yet.

So, my problem here is I can no longer run builds as they fail due to the vulnerability.

Since I can't wait for them to get it patched before to keep working on my stuff (they seem to be aware of it since a year ago), is there some workaround that could be applied to solve it?

I tried adding a postcss resolution on package.json:

  "resolutions": {
    "postcss": "^8.2.10"
  },

but that didn't land me far.

Any idea?

解决方案

This article helped me. https://www.npmjs.com/package/npm-force-resolutions. To use resolutions you wrote you should force them by adding this script in package.json

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

after that run npm install and it should overwrite all nested dependencies

Anyway it will not work due many dependencies. Good news is that support for postcss 8 is already merged and probably will be released soon https://github.com/facebook/create-react-app/issues/9664

这篇关于postcss 7.0.0 - 8.2.9 严重性:中度正则表达式拒绝服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！