我正在尝试解决 Node 包的安全漏洞。
pnpmpnpmpnpm audit┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high │ path-to-regexp outputs backtracking regular │
│ │ expressions │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ path-to-regexp │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=2.0.0 <3.3.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=3.3.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ . > *redacted* > *redacted* > │
│ │ @nestjs/[email protected] > [email protected] │
│ │ │
│ │ . > *redacted* > │
│ │ @nestjs/[email protected] > [email protected] │
│ │ │
│ │ . > [email protected] │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-9wv6-86v2-598j │
└─────────────────────┴────────────────────────────────────────────────────────┘
pnpm why path-to-regexp --depth=10❯ p why path-to-regexp --depth=10
Legend: production dependency, optional only, dev only
*redacted*
dependencies:
*redacted*
├─┬ @nestjs/core 10.4.12 peer
│ ├─┬ @nestjs/platform-express 10.4.12 peer
│ │ └─┬ express 4.21.1
│ │ └── path-to-regexp 0.1.10
│ └── path-to-regexp 3.3.0
├─┬ @nestjs/platform-express 10.4.12 peer
│ ├─┬ @nestjs/core 10.4.12 peer
│ │ └── path-to-regexp 3.3.0
│ └─┬ express 4.21.1
│ └── path-to-regexp 0.1.10
├─┬ @nestjs/testing 10.4.12 peer
│ ├─┬ @nestjs/core 10.4.12 peer
│ │ └── path-to-regexp 3.3.0
│ └─┬ @nestjs/platform-express 10.4.12 peer
│ └─┬ express 4.21.1
│ └── path-to-regexp 0.1.10
└─┬ nestjs-console 9.0.0 peer
└─┬ @nestjs/core 10.4.12 peer
└── path-to-regexp 3.3.0
*redacted*
└─┬ *redacted* peer
└─┬ @nestjs/swagger 8.0.7 peer
├─┬ @nestjs/core 10.4.12 peer
│ ├─┬ @nestjs/platform-express 10.4.12 peer
│ │ └─┬ express 4.21.1
│ │ └── path-to-regexp 0.1.10
│ └── path-to-regexp 3.3.0
└── path-to-regexp 3.3.0
devDependencies:
@nestjs/testing 10.4.12
├─┬ @nestjs/core 10.4.12 peer
│ ├─┬ @nestjs/platform-express 10.4.12 peer
│ │ └─┬ express 4.21.1
│ │ └── path-to-regexp 0.1.10
│ └── path-to-regexp 3.3.0
└─┬ @nestjs/platform-express 10.4.12 peer
├─┬ @nestjs/core 10.4.12 peer
│ └── path-to-regexp 3.3.0
└─┬ express 4.21.1
└── path-to-regexp 0.1.10
nestjs-console 9.0.0
└─┬ @nestjs/core 10.4.12 peer
├─┬ @nestjs/platform-express 10.4.12 peer
│ └─┬ express 4.21.1
│ └── path-to-regexp 0.1.10
└── path-to-regexp 3.3.0
pnpm whypnpm audit我错过了什么? 谢谢。
有趣的是,这是在 pnpm.lock 中:
'@nestjs/[email protected](@nestjs/[email protected]([email protected])([email protected])([email protected])([email protected]))(@nestjs/[email protected])':
dependencies:
'@fastify/cors': 9.0.1
'@fastify/formbody': 7.4.0
'@fastify/middie': 8.3.1
'@nestjs/common': 10.4.12([email protected])([email protected])([email protected])([email protected])
'@nestjs/core': 10.4.12(@nestjs/[email protected]([email protected])([email protected])([email protected])([email protected]))(@nestjs/[email protected])([email protected])([email protected])
fastify: 4.27.0
light-my-request: 5.13.0
path-to-regexp: 3.2.0
tslib: 2.6.2
但我不知道为什么。
正如 Estus Flask 提到的,pnpm.lock 文件中已解决的依赖关系是罪魁祸首。 覆盖依赖关系可以解决该漏洞。 在package.json中:
"pnpm": {
"overrides": {
"path-to-regexp@>=3.2.0 <3.3.0": "^3.3.0"
}
},
这意味着“对于
path-to-regexp3.2.03.3.0path-to-regexp4.0.0