@sunchao116/mcp-audit 1.0.0

package/src/entry/test/result/result-remote.md

@@ -0,0 +1,151 @@
+# `webpack-dev-server`审计结果
+
+
+您所审计的工程总共有 **4** 个风险漏洞。
+
+其中：
+
+- **严重漏洞**：共计 **0** 个
+- **高危漏洞**：共计 **3** 个
+- **中危漏洞**：共计 **1** 个
+- **低危漏洞**：共计 **0** 个
+
+> 说明：
+>
+> - **严重**漏洞被认为是极其严重的，应该立即修复。
+> - **高危**漏洞被认为是严重的，应该尽快修复。
+> - **中危**漏洞被认为是中等严重的，可以选择在时间允许时修复。
+> - **低危**漏洞被认为是轻微的，可以根据自行需要进行修复。
+
+下面是漏洞的详细信息
+
+
+
+## 高危漏洞
+
+共计 **3** 个
+
+
+### `semver`
+
+**漏洞描述**：
+
+- semver vulnerable to Regular Expression Denial of Service
+  - npm漏洞编号：`1101088`
+  - 漏洞详细说明：https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
+  - 漏洞等级：高危
+  - 受影响的版本：`>=7.0.0 <7.5.2`
+
+
+**依赖关系**：
+
+
+
+- `webpack-dev-server` / `@commitlint/cli` / `@commitlint/lint` / `@commitlint/is-ignored` / `semver`
+
+  
+  
+
+**漏洞包所在目录**：
+
+- `node_modules/@commitlint/is-ignored/node_modules/semver`
+
+
+### `tar-fs`
+
+**漏洞描述**：
+
+- tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
+  - npm漏洞编号：`1104677`
+  - 漏洞详细说明：https://github.com/advisories/GHSA-pq67-2wwv-3xjx
+  - 漏洞等级：高危
+  - 受影响的版本：`>=2.0.0 <2.1.2`
+
+- tar-fs can extract outside the specified dir with a specific tarball
+  - npm漏洞编号：`1105197`
+  - 漏洞详细说明：https://github.com/advisories/GHSA-8cj5-5rvv-wf4v
+  - 漏洞等级：高危
+  - 受影响的版本：`>=2.0.0 <2.1.3`
+
+
+**依赖关系**：
+
+
+
+- `webpack-dev-server` / `puppeteer` / `tar-fs`
+
+  
+  
+
+**漏洞包所在目录**：
+
+- `node_modules/tar-fs`
+
+
+### `ws`
+
+**漏洞描述**：
+
+- ws affected by a DoS when handling a request with many HTTP headers
+  - npm漏洞编号：`1098392`
+  - 漏洞详细说明：https://github.com/advisories/GHSA-3h5v-q93c-6h6q
+  - 漏洞等级：高危
+  - 受影响的版本：`>=8.0.0 <8.17.1`
+
+
+**依赖关系**：
+
+
+
+- `webpack-dev-server` / `puppeteer` / `ws`
+
+  
+  
+
+**漏洞包所在目录**：
+
+- `node_modules/puppeteer/node_modules/ws`
+
+
+
+
+
+## 中危漏洞
+
+共计 **1** 个
+
+
+### `webpack-dev-server`
+
+**漏洞描述**：
+
+- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
+  - npm漏洞编号：`1105256`
+  - 漏洞详细说明：https://github.com/advisories/GHSA-9jgg-88mc-972h
+  - 漏洞等级：中危
+  - 受影响的版本：`<=5.2.0`
+
+- webpack-dev-server users' source code may be stolen when they access a malicious web site
+  - npm漏洞编号：`1105257`
+  - 漏洞详细说明：https://github.com/advisories/GHSA-4v9v-hfq4-rm2v
+  - 漏洞等级：中危
+  - 受影响的版本：`<=5.2.0`
+
+
+**依赖关系**：
+
+
+当前工程
+
+
+
+**漏洞包所在目录**：
+
+- `.`
+
+
+
+
+
+
+

package/src/entry/test/test-index.js

@@ -0,0 +1,15 @@
+import { auditPackage } from '../index.js';
+
+// auditPackage(
+//   `D:/office/vue/监控线上bug/回放`,
+//   `/Users/sunch/Desktop/my-site.md`
+// ).then(() => {
+//   console.log('本地工程审计完成');
+// });
+
+auditPackage(
+  `https://github.com/webpack/webpack-dev-server/tree/v4.9.3`,
+  `C:/Users/sunch/Desktop/webpack-dev-server_4_9_3.md`
+).then(() => {
+  console.log('远程工程审计完成');
+});

package/src/generateLock/generateLock.js

@@ -0,0 +1,27 @@
+import fs from 'fs';
+import { join, dirname } from 'path';
+import { runCommand } from '../common/utils.js';
+
+// 写入 package.json
+async function writePackageJson(workDir, packageJson) {
+  const packageJsonPath = join(workDir, 'package.json');
+  fs.mkdirSync(dirname(packageJsonPath), { recursive: true });
+  await fs.promises.writeFile(
+    packageJsonPath,
+    JSON.stringify(packageJson),
+    'utf8'
+  );
+}
+
+// 创建 lock 文件
+async function createLockFile(workDir) {
+  const cmd = `npm install --package-lock-only --force`;
+  await runCommand(cmd, workDir); // 在工作目录中执行命令
+}
+
+export async function generateLock(workDir, packageJson) {
+  // 1. 将 package.json 写入工作目录
+  await writePackageJson(workDir, packageJson);
+  // 2. 生成 lock 文件
+  await createLockFile(workDir);
+}

package/src/generateLock/index.js

@@ -0,0 +1 @@
+export { generateLock } from './generateLock.js';

package/src/generateLock/test/1.json

@@ -0,0 +1 @@
+{"name":"my-site","version":"0.1.0","private":true,"scripts":{"serve":"vue-cli-service serve","build":"vue-cli-service build --modern","test:Pager":"vue serve ./src/components/Pager/test.vue","test:Avatar":"vue serve ./src/components/Avatar/test.vue","test:Icon":"vue serve ./src/components/Icon/test.vue","test:Empty":"vue serve ./src/components/Empty/test.vue","test:ImageLoader":"vue serve ./src/components/ImageLoader/test.vue","test:Contact":"vue serve ./src/components/SiteAside/Contact/test.vue","test:Menu":"vue serve ./src/components/SiteAside/Menu/test.vue","test:SiteAside":"vue serve ./src/components/SiteAside/test.vue","test:Layout":"vue serve ./src/components/Layout/test.vue","test:RightList":"vue serve ./src/views/Blog/components/RightList-test.vue"},"dependencies":{"axios":"^0.21.0","core-js":"^3.6.5","highlight.js":"^10.5.0","mockjs":"^1.1.0","nprogress":"^0.2.0","querystring":"^0.2.0","vue":"^2.6.11","vue-router":"^3.4.9","vuex":"^3.6.2"},"devDependencies":{"@vue/cli-plugin-babel":"~4.5.0","@vue/cli-service":"~4.5.0","less":"^3.0.4","less-loader":"^5.0.0","vue-template-compiler":"^2.6.11","webpack-bundle-analyzer":"^4.4.0"}}

package/src/generateLock/test/test.js

@@ -0,0 +1,15 @@
+import { generateLock } from '../index.js';
+import fs from 'fs';
+import { join } from 'path';
+import { getDirname } from '../../common/utils.js';
+
+const packageJsonPath = join(getDirname(import.meta.url), '1.json');
+const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+
+async function test() {
+  const workDir =
+    '/Users/yuanjin/Desktop/mcp-audit/src/generateLock/test/workdir';
+  await generateLock(workDir, packageJson);
+}
+
+test();