LHJ

I'm a FE developer.

의존성 취약 모듈 업데이트

23 Sep 2020 » node_module

의존성 취약 모듈 업데이트

npm audit fix

npm audit fix로 취약점을 해결하자

언제부터인가 npm install을 하면 아래와 같은 메시지가 나왔다.
취약점이 발견되었으니 npm audit fix를 하라는 뜻이다.

ys@YS-PC MINGW64 /c/workspace/summer/foreign_survey/client (develop)
$ npm install --only=prod
audited 30197 packages in 12.466s
found 657 vulnerabilities (574 low, 64 moderate, 16 high, 3 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

이게 무엇인고 하니, npm install을 할 때 package의 취약점을 검사한다.
그리고 npm audit fix로 취약점이 발견된 package를 자동으로 update 해준다.

ys@YS-PC MINGW64 /c/workspace/summer/foreign_survey/client (develop)
$ npm audit fix
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.1.3 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

+ babel-preset-env@1.7.0
added 43 packages from 39 contributors, removed 10 packages, updated 8 packages and moved 1 package in 28.66s
fixed 477 of 657 vulnerabilities in 30197 scanned packages
  7 package updates for 180 vulns involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or do it by hand)

npm audit fix을 해도 취약점이 다 해결되지 않는 경우가 많다.
그러면 취약점이 더 줄어들지 않을 때까지 npm audit fix를 해준다.
그래도 취약점이 0이 되지 않으면 npm audit으로 뭐가 문제인지 확인한 후 수작업으로 문제를 해결해준다.

ys@YS-PC MINGW64 /c/workspace/summer/foreign_survey/client (develop)
$ npm audit

                       === npm audit security report ===

# Run  npm install --save-dev nightwatch@1.0.6  to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   nightwatch [dev]

  Path            nightwatch > mocha-nightwatch > debug

  More info       https://nodesecurity.io/advisories/534




  Critical        Command Injection

  Package         growl

  Dependency of   nightwatch [dev]

  Path            nightwatch > mocha-nightwatch > growl

  More info       https://nodesecurity.io/advisories/146




  High            Denial of Service

  Package         http-proxy-agent

  Dependency of   nightwatch [dev]

  Path            nightwatch > proxy-agent > http-proxy-agent

  More info       https://nodesecurity.io/advisories/607




  High            Denial of Service

  Package         http-proxy-agent

  Dependency of   nightwatch [dev]

  Path            nightwatch > proxy-agent > pac-proxy-agent >
                  http-proxy-agent

  More info       https://nodesecurity.io/advisories/607




  High            Denial of Service

  Package         https-proxy-agent

  Dependency of   nightwatch [dev]

  Path            nightwatch > proxy-agent > https-proxy-agent

  More info       https://nodesecurity.io/advisories/593




  High            Denial of Service

  Package         https-proxy-agent

  Dependency of   nightwatch [dev]

  Path            nightwatch > proxy-agent > pac-proxy-agent >
                  https-proxy-agent

  More info       https://nodesecurity.io/advisories/593



# Run  npm install --save-dev url-loader@1.0.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Regular Expression Denial of Service

  Package         mime

  Dependency of   url-loader [dev]

  Path            url-loader > mime

  More info       https://nodesecurity.io/advisories/535



found 7 vulnerabilities (1 low, 1 moderate, 4 high, 1 critical) in 33345 scanned packages
  7 vulnerabilities require semver-major dependency updates.

위와 같이 확인 후 문제가 되는 nightwatch를 update 한다.

ys@YS-PC MINGW64 /c/workspace/summer/foreign_survey/client (develop)
$ npm install --save-dev nightwatch@1.0.6
npm WARN deprecated socks@1.1.10: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

+ nightwatch@1.0.6
added 13 packages from 438 contributors, removed 21 packages, updated 16 packages and audited 33329 packages in 21.056s
found 1 moderate severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

아래와 같이 나오면 모든 취약점이 해결된 것이다.

ys@YS-PC MINGW64 /c/workspace/summer/foreign_survey/client (develop)
$ npm install --only=prod
audited 33337 packages in 12.174s
found 0 vulnerabilities

하지만 계속 업데이트하고 의존성 취약 모듈을 수정해줘도 아래처럼 문구가 이렇게 나올 때도 있다.

updated 2 packages in 3.756s
fixed 114 of 144 vulnerabilities in 1713 scanned packages
  30 vulnerabilities required manual review and could not be updated

이는 npm도 해당 취약점은 해결할 수 없다는 것이다.