Vaadin是否使用安全的前端依赖关系？

Question

我正在使用最新的Vaadin14LTS Verson (14.8.20)在构建我的项目时，intellij建议从自动创建的package.json安装npm包。NPM随后告诉我，它发现了12个漏洞，其中11个漏洞的严重性很高。那么Vaadin在这里使用的是过时的软件包吗？在生产中使用这个有危险吗？国家预防机制审计解决办法的产出如下：

up to date, audited 1276 packages in 7s

79 packages are looking for funding
  run `npm fund` for details

# npm audit report

ansi-html  <0.0.8
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install webpack-dev-server@3.11.3, which is outside the stated dependency range
node_modules/ansi-html
  webpack-dev-server  2.0.0-beta - 4.7.2
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of selfsigned
  node_modules/webpack-dev-server

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install copy-webpack-plugin@11.0.0, which is a breaking change
node_modules/copy-webpack-plugin/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin

highcharts  <=8.2.2
Severity: high
Cross-Site Scripting in highcharts - https://github.com/advisories/GHSA-gr4j-r575-g665
Options structure open to Cross-site Scripting if passed unfiltered - https://github.com/advisories/GHSA-8j65-4pcq-xq95
fix available via `npm audit fix --force`
Will install @vaadin/vaadin-charts@23.2.7, which is a breaking change
node_modules/@vaadin/vaadin-shrinkwrap/node_modules/highcharts
node_modules/highcharts
  @vaadin/vaadin-charts  <=6.2.0-beta1 || 6.2.1 - 22.0.0-rc1
  Depends on vulnerable versions of highcharts
  node_modules/@vaadin/vaadin-charts
  node_modules/@vaadin/vaadin-shrinkwrap/node_modules/@vaadin/vaadin-charts
    @vaadin/vaadin-shrinkwrap  <=22.0.0-rc1
    Depends on vulnerable versions of @vaadin/vaadin-charts
    node_modules/@vaadin/vaadin-shrinkwrap

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
fix available via `npm audit fix --force`
Will install webpack-dev-server@3.11.3, which is outside the stated dependency range
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

12 vulnerabilities (1 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
(base) jonas@scadsnb28 IdeaProjects/de4l-client (master *%) npm install                                                                                                                                                                                                                                          1 ↵

up to date, audited 1276 packages in 3s

79 packages are looking for funding
  run `npm fund` for details

12 vulnerabilities (1 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Answer 1

Vaadin以两种方式使用JS依赖关系

• 用于在浏览器中构建应用程序使用的web组件，也就是您的前端代码。
• 为了编译这些web组件并输出特定于应用程序的优化和修剪绑定，这意味着运行仅用于编译的nodejs工具(webpack)。

显然，两者都是用JS编写的，因此它们的依赖项在同一个package.json文件中定义，但是只有第一组依赖项影响到您的应用程序代码，它们在dependencies部分中定义，而工具在devDependencies部分中定义。

在编译过程中，您不应该太担心漏洞，它们在编译过程中很难被利用，而且它们不会传递给应用程序前端包。

因此，让我通过使用--omit dev参数执行相同的命令来消除报告的一些漏洞

$ npm audit report --omit dev

highcharts  <=8.2.2
Severity: high
Cross-Site Scripting in highcharts - https://github.com/advisories/GHSA-gr4j-r575-g665
Options structure open to Cross-site Scripting if passed unfiltered - https://github.com/advisories/GHSA-8j65-4pcq-xq95
...

正如您所看到的，只有highcharts是有意义的，并且只有在应用程序中使用Vaadin组件的情况下。

让我们假设您正在使用图表，这里的漏洞只有在应用程序公开基于未经净化的用户输入的图表配置时才能被利用。

在这里，您有一个关于vaadin和高阶图表Vaadin 8和过时的HighCharts库的安全性问题的更完整的答案

Answer 2

Vaadin 23是在新的简化版本模型下发布的最新稳定版本。这是推荐给所有用户的版本。在他们的发布页面中指定的