npm install , package-lock.json 存在 "file-type": "^9.0.0"、"jpeg-js": "^0.3.4"
1***@qq.com
- 发布:2025-01-17 11:04
- 更新:2025-02-06 17:37
- 阅读:69
【报Bug】@dcloudio/uni-mp-weixin 依赖 "file-type": "^9.0.0"、 "jpeg-js": "^0.3.4"这两个依赖被扫描存在漏洞
分类:uni-app
产品分类: uniapp/H5
PC开发环境操作系统: Mac
PC开发环境操作系统版本号: macOs14.5
浏览器平台: IE
浏览器版本: 8
项目创建方式: CLI
CLI版本号: 3.0.0-4000720240327002
操作步骤:
预期结果:
package-lock.json 存在 "file-type": "^16.0.0"、"jpeg-js": "^0.4.4"
package-lock.json 存在 "file-type": "^16.0.0"、"jpeg-js": "^0.4.4"
实际结果:
package-lock.json 存在 "file-type": "^9.0.0"、"jpeg-js": "^0.3.4"
package-lock.json 存在 "file-type": "^9.0.0"、"jpeg-js": "^0.3.4"
bug描述:
@dcloudio/uni-mp-weixin 3.0.0-4000720240327002 依赖 "file-type": "^9.0.0"、 "jpeg-js": "^0.3.4"这两个依赖被扫描存在漏洞. 目前业务只是利用h5部分业务不需要其他端,怎么进行升级处理
3 个回复
DCloud_UNI_OttoJi - 日常回复 uni-app/x 问题,如果艾特我没看到,请主动私信
我处理下,你可以临时在 npm 中添加 resolutions 补充高版本依赖
DCloud_UNI_WZF
如果仅需要进行 web 端开发,可以删减 package.json 中多余的依赖及命令,例如精简到如下配置:
注意依赖版本按你实际所需,以上仅是结构的示例
另外:您说的被扫描漏洞是如何扫描的,方便提供下吗?这边复现排查下,谢谢
1***@qq.com (作者)
我删减部分含微信的依赖dev:h5报错.{
"name": "uni-preset-vue",
"version": "0.0.0",
"scripts": {
"dev:app": "uni -p app",
"dev:app-android": "uni -p app-android",
"dev:app-ios": "uni -p app-ios",
"dev:custom": "uni -p",
"dev:h5": "uni",
"dev:h5:ssr": "uni --ssr",
"dev:mp-alipay": "uni -p mp-alipay",
"dev:mp-baidu": "uni -p mp-baidu",
"dev:mp-jd": "uni -p mp-jd",
"dev:mp-kuaishou": "uni -p mp-kuaishou",
"dev:mp-lark": "uni -p mp-lark",
"dev:mp-qq": "uni -p mp-qq",
"dev:mp-toutiao": "uni -p mp-toutiao",
"dev:mp-weixin": "uni -p mp-weixin",
"dev:mp-xhs": "uni -p mp-xhs",
"dev:quickapp-webview": "uni -p quickapp-webview",
"dev:quickapp-webview-huawei": "uni -p quickapp-webview-huawei",
"dev:quickapp-webview-union": "uni -p quickapp-webview-union",
"build:app": "uni build -p app",
"build:app-android": "uni build -p app-android",
"build:app-ios": "uni build -p app-ios",
"build:custom": "uni build -p",
"build:h5": "uni build",
"build:h5:ssr": "uni build --ssr",
"build:mp-alipay": "uni build -p mp-alipay",
"build:mp-baidu": "uni build -p mp-baidu",
"build:mp-jd": "uni build -p mp-jd",
"build:mp-kuaishou": "uni build -p mp-kuaishou",
"build:mp-lark": "uni build -p mp-lark",
"build:mp-qq": "uni build -p mp-qq",
"build:mp-toutiao": "uni build -p mp-toutiao",
"build:mp-weixin": "uni build -p mp-weixin",
"build:mp-xhs": "uni build -p mp-xhs",
"build:quickapp-webview": "uni build -p quickapp-webview",
"build:quickapp-webview-huawei": "uni build -p quickapp-webview-huawei",
"build:quickapp-webview-union": "uni build -p quickapp-webview-union",
"type-check": "vue-tsc --noEmit"
},
"dependencies": {
"@dcloudio/uni-app": "3.0.0-4000720240327002",
"@dcloudio/uni-app-plus": "3.0.0-4000720240327002",
"@dcloudio/uni-components": "3.0.0-4000720240327002",
"@dcloudio/uni-h5": "3.0.0-4000720240327002",
"@dcloudio/uni-mp-alipay": "3.0.0-4000720240327002",
"@dcloudio/uni-mp-weixin": "3.0.0-4000720240327002",
"@dcloudio/uni-ui": "^1.5.5",
"@types/crypto-js": "^4.2.2",
"crypto-js": "^4.2.0",
"js-cookie": "^3.0.5",
"marked": "^14.1.1",
"pinia": "2.0.36",
"vue": "^3.3.11",
"vue-i18n": "^9.13.1"
},
"devDependencies": {
"@dcloudio/types": "^3.4.8",
"@dcloudio/uni-automator": "3.0.0-4000720240327002",
"@dcloudio/uni-cli-shared": "3.0.0-4000720240327002",
"@dcloudio/uni-stacktracey": "3.0.0-4000720240327002",
"@dcloudio/vite-plugin-uni": "3.0.0-4000720240327002",
"@types/js-cookie": "^3.0.6",
"@types/node": "^20.14.2",
"@types/sm-crypto": "^0.3.4",
"@vue/runtime-core": "^3.3.11",
"@vue/tsconfig": "^0.1.3",
"sass": "^1.77.5",
"sass-loader": "10.1.1",
"typescript": "^4.9.5",
"vite": "4.3.5",
"vite-plugin-vue-devtools": "^7.3.5",
"vue-tsc": "^1.8.27"
}
}
2025-02-05 10:25
DCloud_UNI_WZF
回复 1***@qq.com: 没看懂,你没删减到我提供的情况啊
2025-02-05 10:57
1***@qq.com (作者)
您好上面是原来的文件,下面是我改后的文件{
"name": "uni-preset-vue",
"version": "0.0.0",
"scripts": {
"dev:custom": "uni -p",
"dev:h5": "uni",
"dev:h5:ssr": "uni --ssr",
"build:custom": "uni build -p",
"build:h5": "uni build",
"build:h5:ssr": "uni build --ssr"
},
"dependencies": {
"@dcloudio/uni-app": "3.0.0-alpha-4010320240415001",
"@dcloudio/uni-app-harmony": "3.0.0-alpha-4010320240415001",
"@dcloudio/uni-app-plus": "3.0.0-alpha-4010320240415001",
"@dcloudio/uni-components": "3.0.0-alpha-4010320240415001",
"@dcloudio/uni-h5": "3.0.0-alpha-4010320240415001",
"@dcloudio/uni-quickapp-webview": "3.0.0-alpha-4010320240415001",
"vue": "^3.4.21",
"vue-i18n": "^9.1.9",
"@dcloudio/uni-ui": "^1.5.5",
"@types/crypto-js": "^4.2.2",
"crypto-js": "^4.2.0",
"js-cookie": "^3.0.5",
"marked": "^14.1.1",
"pinia": "2.0.36"
},
"devDependencies": {
"@dcloudio/types": "^3.4.8",
"@dcloudio/uni-cli-shared": "3.0.0-alpha-4010320240415001",
"@dcloudio/uni-stacktracey": "3.0.0-alpha-4010320240415001",
"@dcloudio/vite-plugin-uni": "3.0.0-alpha-4010320240415001",
"@vue/runtime-core": "^3.4.21",
"@types/js-cookie": "^3.0.6",
"@types/node": "^20.14.2",
"@types/sm-crypto": "^0.3.4",
"@vue/tsconfig": "^0.1.3",
"sass": "^1.77.5",
"sass-loader": "10.1.1",
"typescript": "^4.9.5",
"vite": "4.3.5",
"vite-plugin-vue-devtools": "^7.3.5",
"vue-tsc": "^1.8.27"
}
}
执行npm run dev:h5报错
node_modules/unimport/dist/shared/unimport.MMUMmZ45.cjs:424
importEntry.meta ??= {};
^^^
SyntaxError: Unexpected token '??='
1***@qq.com (作者)
没事没事 改了以后要升级node版本就能启动
2025-02-06 17:45