Actualicé angular cli y creé un nuevo proyecto, con enrutamiento y scss.
Cuando ejecuto npm install veo:
41 vulnerabilities (4 low, 37 moderate) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force
Utilicé el primer comando npm audit fix
y me mostró esto:
up to date, audited 985 packages in 5s 90 packages are looking for funding run `npm fund` for details # npm audit report node-forge <1.0.0 Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5 fix available via `npm audit fix --force` Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change node_modules/node-forge selfsigned >=1.1.1 Depends on vulnerable versions of node-forge node_modules/selfsigned webpack-dev-server >=2.5.0 Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server @angular-devkit/build-angular * Depends on vulnerable versions of @angular-devkit/build-webpack Depends on vulnerable versions of postcss-preset-env Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server node_modules/@angular-devkit/build-angular @angular-devkit/build-webpack * Depends on vulnerable versions of webpack-dev-server node_modules/@angular-devkit/build-webpack postcss <8.2.13 Severity: moderate Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5 fix available via `npm audit fix --force` Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change node_modules/autoprefixer/node_modules/postcss node_modules/css-blank-pseudo/node_modules/postcss node_modules/css-has-pseudo/node_modules/postcss node_modules/css-prefers-color-scheme/node_modules/postcss node_modules/postcss-attribute-case-insensitive/node_modules/postcss node_modules/postcss-color-functional-notation/node_modules/postcss node_modules/postcss-color-gray/node_modules/postcss node_modules/postcss-color-hex-alpha/node_modules/postcss node_modules/postcss-color-mod-function/node_modules/postcss node_modules/postcss-color-rebeccapurple/node_modules/postcss node_modules/postcss-custom-media/node_modules/postcss node_modules/postcss-custom-properties/node_modules/postcss node_modules/postcss-custom-selectors/node_modules/postcss node_modules/postcss-dir-pseudo-class/node_modules/postcss node_modules/postcss-double-position-gradients/node_modules/postcss node_modules/postcss-env-function/node_modules/postcss node_modules/postcss-focus-visible/node_modules/postcss node_modules/postcss-focus-within/node_modules/postcss node_modules/postcss-font-variant/node_modules/postcss node_modules/postcss-gap-properties/node_modules/postcss node_modules/postcss-image-set-function/node_modules/postcss node_modules/postcss-initial/node_modules/postcss node_modules/postcss-lab-function/node_modules/postcss node_modules/postcss-logical/node_modules/postcss node_modules/postcss-media-minmax/node_modules/postcss node_modules/postcss-nesting/node_modules/postcss node_modules/postcss-overflow-shorthand/node_modules/postcss node_modules/postcss-page-break/node_modules/postcss node_modules/postcss-place/node_modules/postcss node_modules/postcss-preset-env/node_modules/postcss node_modules/postcss-pseudo-class-any-link/node_modules/postcss node_modules/postcss-replace-overflow-wrap/node_modules/postcss node_modules/postcss-selector-matches/node_modules/postcss node_modules/postcss-selector-not/node_modules/postcss node_modules/resolve-url-loader/node_modules/postcss autoprefixer 1.0.20131222 - 9.8.8 Depends on vulnerable versions of postcss node_modules/autoprefixer postcss-preset-env <=7.0.0 Depends on vulnerable versions of autoprefixer Depends on vulnerable versions of css-blank-pseudo Depends on vulnerable versions of css-prefers-color-scheme Depends on vulnerable versions of postcss Depends on vulnerable versions of postcss-color-gray Depends on vulnerable versions of postcss-color-mod-function Depends on vulnerable versions of postcss-double-position-gradients Depends on vulnerable versions of postcss-focus-visible Depends on vulnerable versions of postcss-focus-within Depends on vulnerable versions of postcss-initial Depends on vulnerable versions of postcss-page-break node_modules/postcss-preset-env @angular-devkit/build-angular * Depends on vulnerable versions of @angular-devkit/build-webpack Depends on vulnerable versions of postcss-preset-env Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server node_modules/@angular-devkit/build-angular css-blank-pseudo <=1.0.0 Depends on vulnerable versions of postcss node_modules/css-blank-pseudo css-has-pseudo <=1.0.0 Depends on vulnerable versions of postcss node_modules/css-has-pseudo css-prefers-color-scheme <=4.0.0 Depends on vulnerable versions of postcss node_modules/css-prefers-color-scheme postcss-attribute-case-insensitive <=4.0.2 Depends on vulnerable versions of postcss node_modules/postcss-attribute-case-insensitive postcss-color-functional-notation <=3.0.2 Depends on vulnerable versions of postcss node_modules/postcss-color-functional-notation postcss-color-gray >=3.0.0 Depends on vulnerable versions of postcss node_modules/postcss-color-gray postcss-color-hex-alpha 1.3.0 - 6.0.0 Depends on vulnerable versions of postcss node_modules/postcss-color-hex-alpha postcss-color-mod-function * Depends on vulnerable versions of postcss node_modules/postcss-color-mod-function postcss-color-rebeccapurple 1.2.0 - 6.0.0 Depends on vulnerable versions of postcss node_modules/postcss-color-rebeccapurple postcss-custom-media 4.0.0 - 7.0.8 Depends on vulnerable versions of postcss node_modules/postcss-custom-media postcss-custom-properties 3.3.0 - 10.0.0 Depends on vulnerable versions of postcss node_modules/postcss-custom-properties postcss-custom-selectors 2.3.0 - 5.1.2 Depends on vulnerable versions of postcss node_modules/postcss-custom-selectors postcss-dir-pseudo-class <=5.0.0 Depends on vulnerable versions of postcss node_modules/postcss-dir-pseudo-class postcss-double-position-gradients <=2.0.0 Depends on vulnerable versions of postcss node_modules/postcss-double-position-gradients postcss-env-function <=3.0.0 Depends on vulnerable versions of postcss node_modules/postcss-env-function postcss-focus-visible <=5.0.0 Depends on vulnerable versions of postcss node_modules/postcss-focus-visible postcss-focus-within <=4.0.0 Depends on vulnerable versions of postcss node_modules/postcss-focus-within postcss-font-variant 1.2.0 - 4.0.1 Depends on vulnerable versions of postcss node_modules/postcss-font-variant postcss-gap-properties <=2.0.0 Depends on vulnerable versions of postcss node_modules/postcss-gap-properties postcss-image-set-function <=3.0.1 Depends on vulnerable versions of postcss node_modules/postcss-image-set-function postcss-initial <=3.0.4 Depends on vulnerable versions of postcss node_modules/postcss-initial postcss-lab-function <=3.1.2 Depends on vulnerable versions of postcss node_modules/postcss-lab-function postcss-logical <=4.0.2 Depends on vulnerable versions of postcss node_modules/postcss-logical postcss-media-minmax 1.2.0 - 4.0.0 Depends on vulnerable versions of postcss node_modules/postcss-media-minmax postcss-nesting <=7.0.1 Depends on vulnerable versions of postcss node_modules/postcss-nesting postcss-overflow-shorthand <=2.0.0 Depends on vulnerable versions of postcss node_modules/postcss-overflow-shorthand postcss-page-break <=2.0.0 Depends on vulnerable versions of postcss node_modules/postcss-page-break postcss-place <=5.0.0 Depends on vulnerable versions of postcss node_modules/postcss-place postcss-pseudo-class-any-link <=6.0.0 Depends on vulnerable versions of postcss node_modules/postcss-pseudo-class-any-link postcss-replace-overflow-wrap <=3.0.0 Depends on vulnerable versions of postcss node_modules/postcss-replace-overflow-wrap postcss-selector-matches * Depends on vulnerable versions of postcss node_modules/postcss-selector-matches postcss-selector-not <=4.0.1 Depends on vulnerable versions of postcss node_modules/postcss-selector-not resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0 Depends on vulnerable versions of postcss node_modules/resolve-url-loader
Después de eso, npm audit fix --force
y ahora tengo
25 vulnerabilities (3 low, 15 moderate, 7 high) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details.
Y tampoco puedo iniciar el proyecto.
An unhandled exception occurred: require() of ES Module /Users/gboutte/Documents/my-project/node_modules/@angular/compiler-cli/bundles/index.js from /Users/gboutte/Documents/my-project/node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack/src/angular_compiler_plugin.js not supported. Instead change the require of index.js in /Users/gboutte/Documents/my-project/node_modules/@angular-devkit/build-angular/node_modules/@ngtools/webpack/src/angular_compiler_plugin.js to a dynamic import() which is available in all CommonJS modules. See "/private/var/folders/yq/67x6zpfj695czhn4sqrwvxp40000gn/T/ng-h8zNpR/angular-errors.log" for further details.
¿Debo ignorar este error o hay alguna forma de solucionarlo? Vi la mención de postcss en las vulnerabilidades, ¿debería usar algo más que scss?
Me temo que solo tienes que aguantar las vulnerabilidades. Angular tiene un conjunto muy estricto de dependencias y, al cambiar las versiones de esas dependencias, ha roto su aplicación.
Asegúrese de seguir actualizando su proyecto de Angular con la mayor frecuencia posible, ya que el equipo de Angular actualiza regularmente las dependencias de Angular para mitigar estos problemas.
Estuvimos de acuerdo con Will Alexander en que probablemente deberíamos tolerar estas vulnerabilidades por ahora y actualizar a un nuevo Angular 13.xx que las corrija. En el lado positivo, estas parecen vulnerabilidades de bajo riesgo para la forma en que la mayoría de las personas usan Angular ( advertencia : estas son mi mejor suposición; otros, por favor, comenten si me estoy perdiendo algo):
node-forge
se usa para crear certificados SSL autofirmados para el servidor de desarrollo local (generalmente localhost:4200
) cuando ejecuta ng serve
.postcss
para analizar y modificar CSS (agregar prefijos de proveedores, etc.). No estoy seguro, pero creo que Angular todavía lo usa, incluso si está usando CSS en lugar de SCSS.Por lo tanto, ambos solo se usan en desarrollo y no se implementan con una compilación de producción (donde Prototype Pollution y RegEx DoS serían riesgos significativos).
Además, la corrección automática npm audit fix --force
probablemente causará más problemas de los que resuelve si está utilizando la versión actual de Angular (v13). @angular-devkit/build-angular
de 13.1.2 (para Angular v13) a 0.1101.2 (v11-lts, soporte a largo plazo para Angular v11). Esa falta de coincidencia entre las herramientas de compilación v11 y el código v13 es probablemente lo que está causando su excepción no controlada cuando intenta ejecutar.
tl;dr: Desarrolle en Angular sin la corrección de npm audit fix
(¡en este caso!) Ya que estas vulnerabilidades no se implementarán en producción. Se espera que la actualización a un Angular v13.xx más nuevo limpie la npm audit
en un futuro cercano.