npm install high serverity vulnerabilities : nth-check

Frontend/React

npm install high serverity vulnerabilities : nth-check

오이가지아빠 2023. 4. 20. 11:09

#1. 오류 발생

1년전에 작업한 react 프로젝트를 간만에 다시 띄우려고 로컬에서 npm install 해보니

235 packages are looking for funding
  run `npm fund` for details

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

위처럼 오류가 발생했다. 시키는 대로 npm audit을 날려보자

PS C:\02.DEV\QUIZ\fe-cl> npm audit
# npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

뭘까?

#2. 오류 해결

구글에 해당 내용을 검색해 보니 같은 증상이 꽤 보인다.

react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > css-select > nth-check & css-what · 문제 #12132

Vulnerability in react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > css-select > nth-check & css-what · Issue #12132 ·

Describe the bug Upgrade react-scripts to have the @@svgr/webpack@6.* as the dependency. As the current @svgr/webpack@5.5.0 has following vulnerable versions as dependency. nth-check - https://secu...

github.com

react-script 5.0.X를 사용할 때 발생하는 취약점에 대한 종속성 때문이라는데....

해결책이 이것 저것 보인다.

package.json에서

@svgr/webpack 을 재정의 하라는 의견도 보이고,

그 와중에 보이는 best solution!

"overrides": {
  "nth-check": "2.0.1"
},

위 내용을 package.json에 추가하고, npm install 을 다시 했더니 말끔하게 해결됐다.

PS C:\02.DEV\QUIZ\fe-cl> npm install

added 1 package, removed 1 package, changed 1 package, and audited 1523 packages in 2s

235 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

시원.

저작자표시 비영리 변경금지