2024年1月23日 星期二

Javascript 開發筆記 - 盡可能使用 npm 指令處理套件安全更新,此例升級 electron 和 electron-builder



之前寫的練習擺在 github 一直收到套件安全的升級通知信(這只是其中一條),以前在處理這個時,都是人工改掉 package.json ,這次來用指令試試:

% git clone https://github.com/changyy/node-electron-based
% cd node-electron-based
% source env_nvm.sh 
Now using node v16.20.2 (npm v8.19.4)
% npm install
npm WARN deprecated asar@3.2.0: Please use @electron/asar moving forward.  There is no API change, just a package name change
npm WARN deprecated electron-osx-sign@0.6.0: Please use @electron/osx-sign moving forward. Be aware the API is slightly different

added 557 packages, and audited 558 packages in 10s

69 packages are looking for funding
  run `npm fund` for details

11 vulnerabilities (4 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

接著就如上述所言,用 npm audit fix 查看一下:

% npm audit fix

up to date, audited 558 packages in 860ms

69 packages are looking for funding
  run `npm fund` for details

# npm audit report

electron  <=22.3.24
Severity: high
Depends on vulnerable versions of @electron/get
Electron vulnerable to out-of-package code execution when launched with arbitrary cwd - https://github.com/advisories/GHSA-7x97-j373-85x5
Electron context isolation bypass via nested unserializable return value - https://github.com/advisories/GHSA-p7v2-p9m8-qqg7
Electron affected by libvpx's heap buffer overflow in vp8 encoding - https://github.com/advisories/GHSA-qqvq-6xgj-jw8g
ASAR Integrity bypass via filetype confusion in electron - https://github.com/advisories/GHSA-7m48-wc93-9g85
fix available via `npm audit fix --force`
Will install electron@28.1.4, which is a breaking change
node_modules/electron

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install electron@28.1.4, which is a breaking change
node_modules/got
  @electron/get  <=1.14.1
  Depends on vulnerable versions of got
  node_modules/@electron/get

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/dir-compare/node_modules/minimatch
  dir-compare  <=2.4.0
  Depends on vulnerable versions of minimatch
  node_modules/dir-compare
    @electron/universal  1.0.1 - 1.3.3
    Depends on vulnerable versions of dir-compare
    node_modules/@electron/universal
      app-builder-lib  22.10.4 - 24.0.0-alpha.13
      Depends on vulnerable versions of @electron/universal
      node_modules/app-builder-lib
        dmg-builder  22.10.4 - 24.0.0-alpha.13
        Depends on vulnerable versions of app-builder-lib
        node_modules/dmg-builder
          electron-builder  19.25.0 || 22.10.4 - 24.6.0
          Depends on vulnerable versions of app-builder-lib
          Depends on vulnerable versions of dmg-builder
          Depends on vulnerable versions of simple-update-notifier
          node_modules/electron-builder

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

11 vulnerabilities (4 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

使用 npm audit fix --force 處理:

% npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating electron to 28.1.4, which is a SemVer major change.

added 10 packages, removed 13 packages, changed 15 packages, and audited 555 packages in 4s

76 packages are looking for funding
  run `npm fund` for details

# npm audit report

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/dir-compare/node_modules/minimatch
  dir-compare  <=2.4.0
  Depends on vulnerable versions of minimatch
  node_modules/dir-compare
    @electron/universal  1.0.1 - 1.3.3
    Depends on vulnerable versions of dir-compare
    node_modules/@electron/universal
      app-builder-lib  22.10.4 - 24.0.0-alpha.13
      Depends on vulnerable versions of @electron/universal
      node_modules/app-builder-lib
        dmg-builder  22.10.4 - 24.0.0-alpha.13
        Depends on vulnerable versions of app-builder-lib
        node_modules/dmg-builder
          electron-builder  19.25.0 || 22.10.4 - 24.6.0
          Depends on vulnerable versions of app-builder-lib
          Depends on vulnerable versions of dmg-builder
          Depends on vulnerable versions of simple-update-notifier
          node_modules/electron-builder

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

8 vulnerabilities (2 moderate, 6 high)

To address all issues, run:
  npm audit fix

% git diff
diff --git a/package.json b/package.json
index f470e2b..4b7ac3d 100644
--- a/package.json
+++ b/package.json
@@ -19,7 +19,7 @@
     "concurrently": "^7.4.0",
     "copy-webpack-plugin": "^11.0.0",
     "cross-env": "^7.0.3",
-    "electron": "^20.1.1",
+    "electron": "^28.1.4",
     "electron-builder": "^23.3.3",
     "webpack-cli": "^4.10.0",
     "webpack-dev-server": "^4.11.0"

這樣應當算有處理到一個項目的更新,最後再看看之前的 build code 是否正常

% npm install
% npm run build

> simple-electron-app@1.0.0 build
> webpack-cli && electron-builder -mwl

assets by path ../../ 2.47 KiB
  assets by path ../../renderer/*.js 958 bytes
    asset ../../renderer/mainRenederer.js 910 bytes [emitted] [from: src/renderer/mainRenederer.js] [copied] [minimized]
    asset ../../renderer/index.js 48 bytes [emitted] [from: src/renderer/index.js] [copied] [minimized]
  asset ../../main/index.js 1.26 KiB [emitted] [from: src/main/index.js] [copied] [minimized]
  asset ../../preload/mainRenderer.js 289 bytes [emitted] [from: src/preload/mainRenderer.js] [copied] [minimized]
asset index.html 495 bytes [emitted] [from: src/html/mainRenderer/index.html] [copied]
asset index.js 253 bytes [emitted] [minimized] (name: mainRendererHTML)
./src/html/mainRenderer/index.js 380 bytes [built] [code generated]

WARNING in configuration
The 'mode' option has not been set, webpack will fallback to 'production' for this value.
Set 'mode' option to 'development' or 'production' to enable defaults for each environment.
You can also set it to 'none' to disable any default behavior. Learn more: https://webpack.js.org/configuration/mode/

webpack 5.89.0 compiled with 1 warning in 146 ms
  • electron-builder  version=23.6.0 os=23.2.0
  • description is missed in the package.json  appPackageFile=/Volumes/Data/UserData/tmp/node-electron-based/package.json
  • writing effective config  file=dist/builder-effective-config.yaml
  • packaging       platform=darwin arch=arm64 electron=28.1.4 appOutDir=dist/mac-arm64
  • downloading     url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-darwin-arm64.zip size=95 MB parts=8
  • downloaded      url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-darwin-arm64.zip duration=36.971s
  • default Electron icon is used  reason=application icon is not set
  • skipped macOS application code signing  reason=cannot find valid "Developer ID Application" identity or custom non-Apple code signing certificate, it could cause some undefined behaviour, e.g. macOS localized description not visible, see https://electron.build/code-signing allIdentities=     0 identities found
                                                Valid identities only
     0 valid identities found
  • building        target=macOS zip arch=arm64 file=dist/simple-electron-app-1.0.0-arm64-mac.zip
  • building        target=DMG arch=arm64 file=dist/simple-electron-app-1.0.0-arm64.dmg
  • Detected arm64 process, HFS+ is unavailable. Creating dmg with APFS - supports Mac OSX 10.12+
  • packaging       platform=linux arch=x64 electron=28.1.4 appOutDir=dist/linux-unpacked
  • downloading     url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-linux-x64.zip size=102 MB parts=8
  • building block map  blockMapFile=dist/simple-electron-app-1.0.0-arm64.dmg.blockmap
  • building block map  blockMapFile=dist/simple-electron-app-1.0.0-arm64-mac.zip.blockmap
  • downloaded      url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-linux-x64.zip duration=30.749s
  • building        target=snap arch=x64 file=dist/simple-electron-app_1.0.0_amd64.snap
  • building        target=AppImage arch=x64 file=dist/simple-electron-app-1.0.0.AppImage
  • application Linux category is set to default "Utility"  reason=linux.category is not set and cannot map from macOS docs=https://www.electron.build/configuration/linux
  • default Electron icon is used  reason=application icon is not set
  • application Linux category is set to default "Utility"  reason=linux.category is not set and cannot map from macOS docs=https://www.electron.build/configuration/linux
  • packaging       platform=win32 arch=arm64 electron=28.1.4 appOutDir=dist/win-arm64-unpacked
  • downloading     url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-win32-arm64.zip size=108 MB parts=8
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/snap-template-4.0-2/snap-template-electron-4.0-2-amd64.tar.7z size=1.5 MB parts=1
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/appimage-12.0.1/appimage-12.0.1.7z size=1.6 MB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/appimage-12.0.1/appimage-12.0.1.7z duration=5.225s
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/snap-template-4.0-2/snap-template-electron-4.0-2-amd64.tar.7z duration=5.425s
  • downloaded      url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-win32-arm64.zip duration=42.26s
  • default Electron icon is used  reason=application icon is not set
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z size=5.6 MB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z duration=4.001s
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/wine-4.0.1-mac/wine-4.0.1-mac.7z size=19 MB parts=3
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/wine-4.0.1-mac/wine-4.0.1-mac.7z duration=13.249s
  • building        target=nsis file=dist/simple-electron-app Setup 1.0.0.exe archs=arm64 oneClick=true perMachine=false
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z size=1.3 MB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z duration=5.637s
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z size=731 kB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z duration=4.013s
  • building block map  blockMapFile=dist/simple-electron-app Setup 1.0.0.exe.blockmap

編譯正常,接下來再繼續處理 

% npm audit fix

up to date, audited 555 packages in 730ms

76 packages are looking for funding
  run `npm fund` for details

# npm audit report

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/dir-compare/node_modules/minimatch
  dir-compare  <=2.4.0
  Depends on vulnerable versions of minimatch
  node_modules/dir-compare
    @electron/universal  1.0.1 - 1.3.3
    Depends on vulnerable versions of dir-compare
    node_modules/@electron/universal
      app-builder-lib  22.10.4 - 24.0.0-alpha.13
      Depends on vulnerable versions of @electron/universal
      node_modules/app-builder-lib
        dmg-builder  22.10.4 - 24.0.0-alpha.13
        Depends on vulnerable versions of app-builder-lib
        node_modules/dmg-builder
          electron-builder  19.25.0 || 22.10.4 - 24.6.0
          Depends on vulnerable versions of app-builder-lib
          Depends on vulnerable versions of dmg-builder
          Depends on vulnerable versions of simple-update-notifier
          node_modules/electron-builder

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

8 vulnerabilities (2 moderate, 6 high)

To address all issues, run:
  npm audit fix

故事大概起源於 electron-builder ,只好先把他升級看看

% cat package.json | jq '.devDependencies["electron-builder"]'
"^23.3.3"
% npm update --dev electron-builder
% cat package.json | jq '.devDependencies["electron-builder"]'
"^23.3.3"

看來只好靠這招了:

% npm install electron-builder@latest --save-dev
% cat package.json | jq '.devDependencies["electron-builder"]'
"^24.9.1"

如此也確認都沒事了:

% npm audit
found 0 vulnerabilities

最終,其實也只是改 package.json 兩行 XD

% git diff package.json 
diff --git a/package.json b/package.json
index f470e2b..4c830f1 100644
--- a/package.json
+++ b/package.json
@@ -19,8 +19,8 @@
     "concurrently": "^7.4.0",
     "copy-webpack-plugin": "^11.0.0",
     "cross-env": "^7.0.3",
-    "electron": "^20.1.1",
-    "electron-builder": "^23.3.3",
+    "electron": "^28.1.4",
+    "electron-builder": "^24.9.1",
     "webpack-cli": "^4.10.0",
     "webpack-dev-server": "^4.11.0"
   }
張貼者:
標籤: , , , ,

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)