taro
taro copied to clipboard
Published
20 hours ago •
NervJS
NervJS
@tarojs/cli所依赖的包,有些已经落后很多版本了,能否做一个升级
这个特性解决了什么问题?
我们长期(两年多)收到Dependabot alerts说security vulnerabilities in your dependencies。 比如taro中fbjs是 "^1.0.0",实际fbjs已经到3.0.4。fbjs里面又依赖了很多包,报了多个high level security issue。 还有webpack-dev-server,ejs,postcss,mini-css-extract-plugin,download-git-repo,latest-version等。
这个 API 长什么样?
升级到可兼容的高版本
@ZakaryCode @ZEJIA-LIU
抱歉打扰一下: 3.6.17 的 cli 还是有一些弃用提示,并且有不少依赖的严重漏洞提醒
$ node -v
v20.8.0
$ npm -v
9.8.1
$ npm init
$ cat package.json
{
"name": "playground",
"main": "index.js"
}
$ npm i -D @tarojs/cli
$ cat package.json
{
"name": "playground",
"main": "index.js",
"devDependencies": {
"@tarojs/cli": "^3.6.17"
}
}
deprecated:
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-object-rest-spread instead.
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
vulnerabilities:
$ npm audit report
# npm audit report
git-clone *
Severity: high
Command injection in git-clone - https://github.com/advisories/GHSA-8jmw-wjr8-2x66
fix available via `npm audit fix --force`
Will install @tarojs/[email protected], which is a breaking change
node_modules/git-clone
download-git-repo *
Depends on vulnerable versions of download
Depends on vulnerable versions of git-clone
node_modules/download-git-repo
@tarojs/cli 0.0.0-experimental.2 || >=0.0.56
Depends on vulnerable versions of download-git-repo
Depends on vulnerable versions of latest-version
Depends on vulnerable versions of npm-check
Depends on vulnerable versions of request
node_modules/@tarojs/cli
got <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install @tarojs/[email protected], which is a breaking change
node_modules/got
node_modules/package-json/node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/download
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
npm-check >=3.2.7
Depends on vulnerable versions of package-json
Depends on vulnerable versions of update-notifier
node_modules/npm-check
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install @tarojs/[email protected], which is a breaking change
node_modules/http-cache-semantics
cacheable-request 0.1.0 - 2.1.4
Depends on vulnerable versions of http-cache-semantics
node_modules/cacheable-request
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install @tarojs/[email protected], which is a breaking change
node_modules/request
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install @tarojs/[email protected], which is a breaking change
node_modules/tough-cookie
13 vulnerabilities (7 moderate, 6 high)
