npx create-react-app 没有显示最新的 webpack-dev-server 3.11.0
npx create-react-app not showing latest bump to webpack-dev-server 3.11.0
这是我的第一个 SO 问题,对于冗长的代码量,我们深表歉意。我正在尝试使用 create-react-app 开始一个新项目。我运行以下命令:
npx create-react-app jam-box --use-npm
因为我想使用 npm 而不是 yarn,并且一切正常,所以创建了项目样板。但是 react-scripts 的依赖项之一存在安全漏洞:
[Angie @ ~/jam-box](master)
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > webpack-dev-server > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 922235 scanned packages
1 vulnerability requires manual review. See the full report for details.
[Angie @ ~/jam-box](master)
$
我试过 运行 npm audit fix,但没用。我去了 webpack-dev-server github 和 create-react-app github 看起来他们已经在解决这个安全问题了,两天前,这个问题已经解决了并合并到 create-react-app master.
当 运行ning npm i react-scripts@latest 在我的项目中时:
[Angie @ ~/jam-box](master)
$ npm i react-scripts@latest
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
npm WARN sass-loader@8.0.2 requires a peer of node-sass@^4.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN sass-loader@8.0.2 requires a peer of sass@^1.3.0 but none is installed. You must install peer dependencies yourself.
npm WARN sass-loader@8.0.2 requires a peer of fibers@>= 3.1.0 but none is installed. You must install peer dependencies yourself.
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
+ react-scripts@3.4.1
updated 1 package and audited 922235 packages in 46.013s
2 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
我遇到这个问题好几天了,一直在等着看他们是否会解决它,然后再尝试创建一个新的 create-react-app 项目。但是今天当我再次尝试运行 npx create-react-app jam-box --use-npm时,安全漏洞仍然存在。我什至尝试了 运行ning npm install react-scripts@latest,漏洞仍然存在。当我查看我的 package-lock.json 时,它说 react-scripts 仍在使用以前版本的 webpack-dev-server 而不是最新版本 3.11.0。我不知道为什么当我 运行 npx create-react-app 这没有反映 create-react-app 的最新 master b运行ch。我只想 运行 create-react-app 到最新版本,任何帮助将不胜感激。
npx create-react-app jam-box --use-npm
npx: installed 98 in 9.648s
Creating a new React app in /Users/Angie/jam-box.
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...
> fsevents@1.2.13 install /Users/Angie/jam-box/node_modules/jest-haste-map/node_modules/fsevents
> node install.js
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
SOLINK_MODULE(target) Release/fse.node
> fsevents@1.2.13 install /Users/Angie/jam-box/node_modules/watchpack/node_modules/fsevents
> node install.js
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
SOLINK_MODULE(target) Release/fse.node
> fsevents@1.2.13 install /Users/Angie/jam-box/node_modules/webpack-dev-server/node_modules/fsevents
> node install.js
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
SOLINK_MODULE(target) Release/fse.node
> core-js@2.6.11 postinstall /Users/Angie/jam-box/node_modules/babel-runtime/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"
> core-js@3.6.5 postinstall /Users/Angie/jam-box/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"
> core-js-pure@3.6.5 postinstall /Users/Angie/jam-box/node_modules/core-js-pure
> node -e "try{require('./postinstall')}catch(e){}"
+ cra-template@1.0.3
+ react-scripts@3.4.1
+ react@16.13.1
+ react-dom@16.13.1
added 1620 packages from 760 contributors and audited 922030 packages in 107.471s
59 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Initialized a git repository.
Installing template dependencies using npm...
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
+ @testing-library/jest-dom@4.2.4
+ @testing-library/react@9.5.0
+ @testing-library/user-event@7.2.1
added 36 packages from 56 contributors and audited 922236 packages in 19.35s
59 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Removing template package using npm...
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
removed 1 package and audited 922235 packages in 12.693s
59 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Created git commit.
Success! Created jam-box at /Users/Angie/jam-box
Inside that directory, you can run several commands:
npm start
Starts the development server.
npm run build
Bundles the app into static files for production.
npm test
Starts the test runner.
npm run eject
Removes this tool and copies build dependencies, configuration files
and scripts into the app directory. If you do this, you can’t go back!
We suggest that you begin by typing:
cd jam-box
npm start
Happy hacking!
我一直在寻找这个漏洞,希望能修复它!
我的理解是 react-scripts 没有更新它们的依赖项以指向 webpack-dev-server 3.11.0。由于 webpack-dev-server 是 react-scripts 的依赖项,react-scripts 需要在其代码库中更新它。这不是我们可以在依赖项中更改的东西。
正如您所指出的,webpack-dev-server 更新了它们对 yargs 的依赖以处理“yargs-parser 中的安全漏洞 (#2566) (41d1d0c)”(webpack-dev-server 发行说明:https://github.com/webpack/webpack-dev-server/releases).
但是 react-scripts(由 create-react-app https://github.com/facebook/create-react-app/tree/master/packages/react-scripts 维护和使用)尚未更新它们对 webpack-dev-server 的依赖以使用新的 3.11.0 版本。
我认为这可以作为一个问题向他们提出来,要求他们更新他们对 webback-dev-server 的依赖关系以指向将解决安全漏洞的最新依赖关系,但我不确定这是怎么回事老实说,做得很准确。
这是我的第一个 SO 问题,对于冗长的代码量,我们深表歉意。我正在尝试使用 create-react-app 开始一个新项目。我运行以下命令:
npx create-react-app jam-box --use-npm
因为我想使用 npm 而不是 yarn,并且一切正常,所以创建了项目样板。但是 react-scripts 的依赖项之一存在安全漏洞:
[Angie @ ~/jam-box](master)
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > webpack-dev-server > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 922235 scanned packages
1 vulnerability requires manual review. See the full report for details.
[Angie @ ~/jam-box](master)
$
我试过 运行 npm audit fix,但没用。我去了 webpack-dev-server github 和 create-react-app github 看起来他们已经在解决这个安全问题了,两天前,这个问题已经解决了并合并到 create-react-app master.
当 运行ning npm i react-scripts@latest 在我的项目中时:
[Angie @ ~/jam-box](master)
$ npm i react-scripts@latest
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
npm WARN sass-loader@8.0.2 requires a peer of node-sass@^4.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN sass-loader@8.0.2 requires a peer of sass@^1.3.0 but none is installed. You must install peer dependencies yourself.
npm WARN sass-loader@8.0.2 requires a peer of fibers@>= 3.1.0 but none is installed. You must install peer dependencies yourself.
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
+ react-scripts@3.4.1
updated 1 package and audited 922235 packages in 46.013s
2 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
我遇到这个问题好几天了,一直在等着看他们是否会解决它,然后再尝试创建一个新的 create-react-app 项目。但是今天当我再次尝试运行 npx create-react-app jam-box --use-npm时,安全漏洞仍然存在。我什至尝试了 运行ning npm install react-scripts@latest,漏洞仍然存在。当我查看我的 package-lock.json 时,它说 react-scripts 仍在使用以前版本的 webpack-dev-server 而不是最新版本 3.11.0。我不知道为什么当我 运行 npx create-react-app 这没有反映 create-react-app 的最新 master b运行ch。我只想 运行 create-react-app 到最新版本,任何帮助将不胜感激。
npx create-react-app jam-box --use-npm
npx: installed 98 in 9.648s
Creating a new React app in /Users/Angie/jam-box.
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...
> fsevents@1.2.13 install /Users/Angie/jam-box/node_modules/jest-haste-map/node_modules/fsevents
> node install.js
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
SOLINK_MODULE(target) Release/fse.node
> fsevents@1.2.13 install /Users/Angie/jam-box/node_modules/watchpack/node_modules/fsevents
> node install.js
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
SOLINK_MODULE(target) Release/fse.node
> fsevents@1.2.13 install /Users/Angie/jam-box/node_modules/webpack-dev-server/node_modules/fsevents
> node install.js
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
SOLINK_MODULE(target) Release/fse.node
> core-js@2.6.11 postinstall /Users/Angie/jam-box/node_modules/babel-runtime/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"
> core-js@3.6.5 postinstall /Users/Angie/jam-box/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"
> core-js-pure@3.6.5 postinstall /Users/Angie/jam-box/node_modules/core-js-pure
> node -e "try{require('./postinstall')}catch(e){}"
+ cra-template@1.0.3
+ react-scripts@3.4.1
+ react@16.13.1
+ react-dom@16.13.1
added 1620 packages from 760 contributors and audited 922030 packages in 107.471s
59 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Initialized a git repository.
Installing template dependencies using npm...
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
+ @testing-library/jest-dom@4.2.4
+ @testing-library/react@9.5.0
+ @testing-library/user-event@7.2.1
added 36 packages from 56 contributors and audited 922236 packages in 19.35s
59 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Removing template package using npm...
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
removed 1 package and audited 922235 packages in 12.693s
59 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Created git commit.
Success! Created jam-box at /Users/Angie/jam-box
Inside that directory, you can run several commands:
npm start
Starts the development server.
npm run build
Bundles the app into static files for production.
npm test
Starts the test runner.
npm run eject
Removes this tool and copies build dependencies, configuration files
and scripts into the app directory. If you do this, you can’t go back!
We suggest that you begin by typing:
cd jam-box
npm start
Happy hacking!
我一直在寻找这个漏洞,希望能修复它!
我的理解是 react-scripts 没有更新它们的依赖项以指向 webpack-dev-server 3.11.0。由于 webpack-dev-server 是 react-scripts 的依赖项,react-scripts 需要在其代码库中更新它。这不是我们可以在依赖项中更改的东西。
正如您所指出的,webpack-dev-server 更新了它们对 yargs 的依赖以处理“yargs-parser 中的安全漏洞 (#2566) (41d1d0c)”(webpack-dev-server 发行说明:https://github.com/webpack/webpack-dev-server/releases).
但是 react-scripts(由 create-react-app https://github.com/facebook/create-react-app/tree/master/packages/react-scripts 维护和使用)尚未更新它们对 webpack-dev-server 的依赖以使用新的 3.11.0 版本。
我认为这可以作为一个问题向他们提出来,要求他们更新他们对 webback-dev-server 的依赖关系以指向将解决安全漏洞的最新依赖关系,但我不确定这是怎么回事老实说,做得很准确。