NPM Audit Fix想要降级一个包。

huangapple go评论65阅读模式
英文:

NPM Audit Fix wants to downgrade a package

问题

We received an NPM Audit warning about jsonwebtoken <= 8.5.1. The suggested fix was to upgrade mssql to 7.2.0. Instead, we removed mssql with npm remove mssql and re-installed it to get the latest version npm i -D mssql => 9.0.1.

However, NPM Audit still complains and wants to install mssql@7.2.0.

Why is NPM Audit requiring a downgrade?

英文:

We received an NPM Audit warning about jsonwebtoken &lt;= 8.5.1. The suggested fix was to upgrade mssql to 7.2.0. Instead, we removed mssql with npm remove mssql and re-installed it to get the latest version npm i -D mssql => 9.0.1.

However, NPM Audit still complains and wants to install mssql@7.2.0.

Why is NPM Audit requiring a downgrade?

$ npm audit --registry=https://registry.npmjs.org/ 

# npm audit report

jsonwebtoken  &lt;=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken&#39;s insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install mssql@7.2.0, which is a breaking change
node_modules/jsonwebtoken
  @azure/msal-node  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@azure/msal-node
    @azure/identity  &gt;=1.2.0-alpha.20200903.1
    Depends on vulnerable versions of @azure/msal-node
    node_modules/@azure/identity
      tedious  &gt;=11.0.9
      Depends on vulnerable versions of @azure/identity
      node_modules/tedious
        mssql  &gt;=7.2.1
        Depends on vulnerable versions of tedious
        node_modules/mssql

5 vulnerabilities (4 moderate, 1 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Here is the dependency graph:

  • "mssql": "9.0.1"
    • "tedious": "^15.0.1" (15.1.2)
      • "@azure/identity": "^2.0.4"
        • "@azure/msal-node": "^1.10.0"
          • "jsonwebtoken": "^8.5.1"

We have no other libraries which depend on jsonwebtoken.

package.json

{
  &quot;dependencies&quot;: {
    &quot;express&quot;: &quot;^4.18.1&quot;,
    &quot;flatted&quot;: &quot;^3.1.1&quot;,
    &quot;http-proxy-middleware&quot;: &quot;^2.0.6&quot;,
    &quot;log-timestamp&quot;: &quot;^0.3.0&quot;,
    &quot;node-fetch&quot;: &quot;^2.6.1&quot;,
    &quot;nodemon&quot;: &quot;^2.0.20&quot;,
    &quot;sha1-hex&quot;: &quot;^1.0.0&quot;
  },
  &quot;devDependencies&quot;: {
    &quot;@types/jest&quot;: &quot;^26.0.3&quot;,
    &quot;eslint&quot;: &quot;^7.7.0&quot;,
    &quot;eslint-config-strongloop&quot;: &quot;^2.1.0&quot;,
    &quot;jest&quot;: &quot;^28.1.3&quot;,
    &quot;jest-junit&quot;: &quot;^8.0.0&quot;,
    &quot;mssql&quot;: &quot;^9.0.1&quot;
  }
}

答案1

得分: 2

问题是@azure/msal-node的所有版本都依赖于jsonwebtoken@8.5.1。然而,这个依赖似乎是在mssql >7.2.0中添加的。因此,降级到mssql@7.2.0会移除对@azure/msal-node的依赖,从而移除对jsonwebtoken的受影响版本的依赖。

英文:

The issue is that all versions of @azure/msal-node depends on jsonwebtoken@8.5.1. However this dependency seems to have been added in mssql &gt;7.2.0. So downgrading to mssql@7.2.0 removes the dependence on @azure/msal-node and subsequently the vulnerable version of jsonwebtoken.

huangapple
  • 本文由 发表于 2023年1月3日 17:36:31
  • 转载请务必保留本文链接:https://go.coder-hub.com/74991450.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定