Angular 更新包 CSS-WHAT

Question

我有以下角度设置：

     _                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / ? \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/


Angular CLI: 12.0.3
Node: 14.17.0
Package Manager: npm 7.16.0
OS: win32 x64

Angular: 12.0.4
... animations, cdk, common, compiler, compiler-cli, core, forms
... localize, material, platform-browser
... platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1200.3
@angular-devkit/build-angular   0.1102.14
@angular-devkit/core            12.0.3
@angular-devkit/schematics      12.0.3
@angular/cli                    12.0.3
@schematics/angular             12.0.3
rxjs                            6.6.7
typescript                      4.2.4

我在运行时遇到问题，npm audit --audit-level high。它返回了一些问题，其中之一如下：

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@0.901.15, which is a breaking change
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    svgo  >=1.0.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  >=4.0.0-nightly.2020.1.9
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  *
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  >=4.0.0-nightly.2020.1.9
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            @angular-devkit/build-angular  *
            Depends on vulnerable versions of @angular-devkit/build-webpack
            Depends on vulnerable versions of resolve-url-loader
            Depends on vulnerable versions of webpack
            Depends on vulnerable versions of webpack-dev-server
            node_modules/@angular-devkit/build-angular

我运行以下更新以尝试解决问题，

npm update css-what

但我仍然遇到同样的问题。

有人能帮我一下吗？如何解决审计警告？

Answer 1

我遇到了同样的问题，但找不到该漏洞的解决方案。

我发现你根本不能直接手动更新 css-what

npm install @angular-devkit/build-angular@latest
// or
npm install css-what@latest

因为css-select是间接依赖。

由于以下依赖项冲突，可以安装的最新可能版本是 4.0.0：

@angular-devkit/build-angular@12.0.3 通过对 css-select@3.1.2 的传递依赖需要 css-what@^4.0.0 最早的固定版本是 5.0.1。

这种依赖性还没有在@angular-devkit/build-angular@12.0.5任何一个中得到修复。

还有关于它的线程： https ://github.com/angular/angular-cli/issues/21185