Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openSCA对框架依赖扫描结果中的漏洞问题 #270

Open
LinhoonYu opened this issue Jun 3, 2024 · 5 comments
Open

openSCA对框架依赖扫描结果中的漏洞问题 #270

LinhoonYu opened this issue Jun 3, 2024 · 5 comments

Comments

@LinhoonYu
Copy link

微信图片_20240603094656
首先非常感谢大佬前几天帮忙解决了egg-security中的间接依赖项的版本漏洞问题,目前项目在openSCA扫描结果中还存在5个间接依赖问题,不太好解决,还请大佬帮忙升级一下间接依赖:

  1. socket.io-parser:[egg-socket.io:4.1.6]/[socket.io:2.5.0]/[socket.io-client:2.5.0]/[socket.io-parser:3.3.3]]
  2. engine.io:[egg-socket.io:4.1.6]/[socket.io:2.5.0]/[engine.io:3.6.1]]
  3. semver:[egg:3.22.0]/[egg-cluster:2.2.1]/[semver:5.7.2]]
  4. serialize-javascript: [egg-bin:5.17.1]/[mocha:10.2.0]/[serialize-javascript:6.0.0]]
  5. debug: [egg-socket.io:4.1.6]/[socket.io:2.5.0]/[debug:4.1.1]]
  • 其中三项属于egg-socket.io下的socket.io依赖的问题,能否提高socket.io版本,如果担心已有项目会受影响,是否可以提供一个5版本以上的egg-socket.io并在其中使用高版本的socket.io,可供使用
    
@fengmk2
Copy link
Member

fengmk2 commented Jun 3, 2024

可以去给 egg-socket.io 提 pr 吧,这个插件我没有使用场景,目前没法参与维护。

@fengmk2
Copy link
Member

fengmk2 commented Jun 3, 2024

mocha 只用于单测环境,可以忽略。

@LinhoonYu
Copy link
Author

mocha 只用于单测环境,可以忽略。

第三条semver能解决吗

@fengmk2
Copy link
Member

fengmk2 commented Jun 3, 2024

https://github.com/npm/node-semver/blob/main/CHANGELOG.md#60 看起来可以的,我提交一个 pr

@LinhoonYu
Copy link
Author

https://github.com/npm/node-semver/blob/main/CHANGELOG.md#60 看起来可以的,我提交一个 pr
感谢大佬

fengmk2 added a commit to eggjs/egg-cluster that referenced this issue Jun 3, 2024
https://security.snyk.io/package/npm/semver

eggjs/egg-bin#270


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Added a new script to manage contributors automatically in the
project.

- **Documentation**
- Updated README to include a list of contributors with their GitHub
profiles and avatars.

- **Refactor**
- Replaced deprecated message logging with `console.warn` for HTTPS
configuration.
- Removed `semver` dependency and simplified related logic in the
project.

- **Chores**
- Updated Node.js CI workflow to include an additional Node.js version
and added `CODECOV_TOKEN` secret.
- Updated `semver` version in `package.json` and added `git-contributor`
dependency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants