Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
738 views
in Technique[技术] by (71.8m points)

reactjs - postcss 7.0.0 - 8.2.9 Severity: moderate Regular Expression Denial of Service

When creating a new project under create-react-app, you get warnings straight away regarding a vulnerability found in postcss.

Issue reported by npm: https://www.npmjs.com/advisories/1693

Related open issues can be found here:

The issue has been patched on postcss v8.2.10, but it's still present when creating new projects as react-scripts hasn't upgraded the dependency yet.

So, my problem here is I can no longer run builds as they fail due to the vulnerability.

Since I can't wait for them to get it patched before to keep working on my stuff (they seem to be aware of it since a year ago), is there some workaround that could be applied to solve it?

I tried adding a postcss resolution on package.json:

  "resolutions": {
    "postcss": "^8.2.10"
  },

but that didn't land me far.

Any idea?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

This article helped me. https://www.npmjs.com/package/npm-force-resolutions. To use resolutions you wrote you should force them by adding this script in package.json

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

after that run npm install and it should overwrite all nested dependencies

Anyway it will not work due many dependencies. Good news is that support for postcss 8 is already merged and probably will be released soon https://github.com/facebook/create-react-app/issues/9664


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...