gpt4 book ai didi

javascript - 为什么我的 yarn.lock 文件中有僵尸包?

转载 作者:行者123 更新时间:2023-12-04 03:30:04 24 4
gpt4 key购买 nike

我们将所有应用程序部署为 Docker 容器,并且作为构建过程的一部分,通过容器扫描运行它们以阻止包含已知修复漏洞的部署。
我目前的安全扫描失败,因为我的 yarn.lock包含 cacache@^12.0.2 .但据我所知,绝对没有理由将其放在锁定文件中。例如,如果我运行 yarn why似乎没有理由包含该软件包:

/app # yarn why cacache@^12.0.2
yarn why v1.22.4
[1/4] Why do we have the module "cacache@^12.0.2"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We couldn't find a match!
Done in 1.30s.
如何摆脱这些不安全和不必要的依赖?
我试过删除锁定文件并从头开始重建。这样做之后,有问题的 12.0.2 版本仍然存在。我也试过运行 autoclean命令,它确实删除了大量不必要的重量,但没有删除这些明显多余且绝对不安全的依赖项。
更新:根据要求,这是包文件的一部分,其中列出了依赖项:
{
... redacted
"dependencies": {
"@nuxtjs/axios": "^5.3.6",
"@sentry/browser": "^5.29.0",
"@sentry/integrations": "^5.29.0",
"@sentry/tracing": "^5.29.0",
"@sentry/vue": "^5.29.0",
"amplitude-js": "^7.4.1",
"buefy": "^0.9.3",
"cacache": "^15.0.6",
"element-ui": "^2.14.0",
"file-saver": "^2.0.2",
"idle-vue": "^2.0.5",
"is-svg": "^4.2.2",
"js-cookie": "^2.2.1",
"launchdarkly-js-client-sdk": "^2.19.1",
"lodash": "^4.17.15",
"logrocket": "^1.0.7",
"logrocket-vuex": "^0.0.3",
"moment": "^2.26.0",
"nuxt": "^2.0.0",
"view-design": "^4.4.0",
"vue-feather-icons": "^5.1.0",
"vue-resize-directive": "^1.2.0",
"vuex-persistedstate": "^3.0.1"
},
"devDependencies": {
"@olavoparno/jest-badges-readme": "^1.5.1",
"@vue/test-utils": "^1.0.0-beta.27",
"babel-core": "^7.0.0-bridge.0",
"babel-jest": "^24.1.0",
"clipboardy": "^2.3.0",
"coffee-loader": "^1.0.0",
"coffeescript": "^2.5.1",
"cypress": "^6.8.0",
"jest": "^26.0.0",
"node-sass": "^4.14.1",
"pug": "^3.0.1",
"pug-plain-loader": "^1.0.0",
"sass-loader": "^8.0.2",
"vue-jest": "^4.0.0-rc.0"
}
}

最佳答案

➜ yarn why cacache
yarn why v1.21.1
[1/4] 🤔 Why do we have the module "cacache"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
[4/4] 🚡 Calculating file sizes...
=> Found "cacache@15.0.6"
info Has been hoisted to "cacache"
info Reasons this module exists
- Specified in "dependencies"
- Hoisted from "nuxt#@nuxt#webpack#terser-webpack-plugin#cacache"
=> Found "webpack#cacache@12.0.4"
info Reasons this module exists
- "nuxt#@nuxt#webpack#webpack#terser-webpack-plugin" depends on it
- Hoisted from "nuxt#@nuxt#webpack#webpack#terser-webpack-plugin#cacache"
(作为答案发布,因为这会发表糟糕的评论。)
然后跟进 yarn why terser-webpack-plugin当然。

关于javascript - 为什么我的 yarn.lock 文件中有僵尸包?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67111317/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com