运行 npx create-react-app 后发现的中等严重性漏洞

Moderate severity vulnerabilities found after running npx create-react-app

我已经在 Windows 上安装了 32 位的最新 LTS 版本:14.17.0(包括 npm 6.14.13)。 安装节点后,我使用 npm i create-react-app -g

在全局安装了 create-react-app 模块

我已经成功安装了它们,没有任何错误。 但是,如果我尝试 运行 npx create-react-app 在我的终端上,我会得到 browserslist 的 82 个中等严重性漏洞postcss 依赖项说 正则表达式拒绝服务 我也尝试过使用旧版本的节点,但漏洞仍然相同。

在脚本中包含 "preinstall": "npx npm-force-resolutions" 并在我的 package.json 文件中包含 "resolutions": "^3.8.0" 后,漏洞得到修复。 但是,我每次创建新项目时都会这样做。

请建议我永久修复此问题。

我还包括使用 npm audit 的漏洞

# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist
  node_modules/react-dev-utils
    react-scripts  >=2.0.0-next.03604a46
    Depends on vulnerable versions of postcss-normalize
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    node_modules/react-scripts

postcss  7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
  autoprefixer  9.0.0 - 9.8.6
  Depends on vulnerable versions of postcss
  node_modules/autoprefixer
  css-blank-pseudo  *
  Depends on vulnerable versions of postcss
  node_modules/css-blank-pseudo
    postcss-preset-env  >=6.0.0
    Depends on vulnerable versions of css-blank-pseudo
    Depends on vulnerable versions of css-prefers-color-scheme
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-color-gray
    Depends on vulnerable versions of postcss-double-position-gradients
    node_modules/postcss-preset-env
  css-declaration-sorter  4.0.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/css-declaration-sorter
  css-has-pseudo  *
  Depends on vulnerable versions of postcss
  node_modules/css-has-pseudo
  css-loader  2.0.0 - 4.3.0
  Depends on vulnerable versions of postcss
  node_modules/css-loader
  css-prefers-color-scheme  *
  Depends on vulnerable versions of postcss
  node_modules/css-prefers-color-scheme
  cssnano  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
  Depends on vulnerable versions of postcss
  node_modules/cssnano
    optimize-css-assets-webpack-plugin  3.2.1 || 5.0.2 - 5.0.6
    Depends on vulnerable versions of cssnano
    node_modules/optimize-css-assets-webpack-plugin
  cssnano-preset-default  <=4.0.0-rc.2 || 4.0.1 - 4.0.8
  Depends on vulnerable versions of cssnano-util-raw-cache
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-calc
  node_modules/cssnano-preset-default
  cssnano-util-raw-cache  >=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/cssnano-util-raw-cache
  icss-utils  4.0.0 - 4.1.1
  Depends on vulnerable versions of postcss
  node_modules/icss-utils
    postcss-modules-local-by-default  2.0.0 - 4.0.0-rc.4
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-local-by-default
    postcss-modules-values  2.0.0 - 4.0.0-rc.5
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-values
  postcss-attribute-case-insensitive  4.0.0 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-attribute-case-insensitive
  postcss-browser-comments  2.0.0 - 3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-browser-comments
    postcss-normalize  7.0.0 - 9.0.0
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-browser-comments
    node_modules/postcss-normalize
      react-scripts  >=2.0.0-next.03604a46
      Depends on vulnerable versions of postcss-normalize
      Depends on vulnerable versions of react-dev-utils
      Depends on vulnerable versions of resolve-url-loader
      node_modules/react-scripts
  postcss-calc  6.0.2 - 7.0.5
  Depends on vulnerable versions of postcss
  node_modules/postcss-calc
  postcss-color-functional-notation  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-functional-notation
  postcss-color-gray  >=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-gray
  postcss-color-hex-alpha  4.0.0 - 6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-hex-alpha
  postcss-color-mod-function  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-mod-function
  postcss-color-rebeccapurple  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-rebeccapurple
  postcss-colormin  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-colormin
  postcss-convert-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-convert-values
  postcss-custom-media  7.0.0 - 7.0.8
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-media
  postcss-custom-properties  8.0.0 - 10.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-properties
  postcss-custom-selectors  5.0.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-selectors
  postcss-dir-pseudo-class  >=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-dir-pseudo-class
  postcss-discard-comments  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-comments
  postcss-discard-duplicates  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-duplicates
  postcss-discard-empty  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-empty
  postcss-discard-overridden  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-overridden
  postcss-double-position-gradients  *
  Depends on vulnerable versions of postcss
  node_modules/postcss-double-position-gradients
  postcss-env-function  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-env-function
  postcss-flexbugs-fixes  4.0.0 - 4.2.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-flexbugs-fixes
  postcss-focus-visible  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-focus-visible
  postcss-focus-within  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-focus-within
  postcss-font-variant  4.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-font-variant
  postcss-gap-properties  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-gap-properties
  postcss-image-set-function  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-image-set-function
  postcss-initial  3.0.0 - 3.0.4
  Depends on vulnerable versions of postcss
  node_modules/postcss-initial
  postcss-lab-function  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-lab-function
  postcss-loader  3.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-loader
  postcss-logical  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-logical
  postcss-media-minmax  4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-media-minmax
  postcss-merge-longhand  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-longhand
  postcss-merge-rules  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-rules
  postcss-minify-font-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-font-values
  postcss-minify-gradients  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-gradients
  postcss-minify-params  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-params
  postcss-minify-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-selectors
  postcss-modules-extract-imports  2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-extract-imports
  postcss-modules-scope  2.0.0 - 2.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope
  postcss-nesting  7.0.0 - 7.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-nesting
  postcss-normalize-charset  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-charset
  postcss-normalize-display-values  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-display-values
  postcss-normalize-positions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-positions
  postcss-normalize-repeat-style  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-repeat-style
  postcss-normalize-string  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-string
  postcss-normalize-timing-functions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-timing-functions
  postcss-normalize-unicode  <=4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-unicode
  postcss-normalize-url  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-url
  postcss-normalize-whitespace  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-whitespace
  postcss-ordered-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-ordered-values
  postcss-overflow-shorthand  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-overflow-shorthand
  postcss-page-break  2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-page-break
  postcss-place  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-place
  postcss-pseudo-class-any-link  >=6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-pseudo-class-any-link
  postcss-reduce-initial  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-initial
  postcss-reduce-transforms  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-transforms
  postcss-replace-overflow-wrap  3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-replace-overflow-wrap
  postcss-selector-matches  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-selector-matches
  postcss-selector-not  4.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-selector-not
  postcss-svgo  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-svgo
  postcss-unique-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-unique-selectors
  resolve-url-loader  3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader
  stylehacks  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/stylehacks

82 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force ```

在 CRA 团队更新 react-scripts 之前,我认为要使 npx npm-force-resolutions 正常工作,您可能需要编辑 package.json 并在根目录中添加 "resolutions" 部分.在本节中,您可以尝试为问题包指定版本更新。因此,对于您的 postcss,它看起来如下所示(将版本更改为 npm audit 建议的修复版本):

  "resolutions": {
    "postcss": "7.0.36",
    "glob-parent": "^5.1.2",
    "css-what": "^5.0.1",
    "normalize-url": "^4.5.1"
  }

以上配置似乎解决了我的 CRA 项目报告 8 个漏洞,其中 4 个中度漏洞和 4 个高漏洞下降到 1 个中度漏洞关于 browserslist 包。 postcss 的 7.0.36 版是最新版本 7 postcss,它已从 postcss 版本 8 向后移植了 ReDoS 修复程序。我尝试将 postcss 的分辨率更新为 8,但它导致其他问题,我猜这些问题与 WebPack 中使用的 postcss 插件的重大更改有关。我是网络开发新手,所以我在这里猜测。最后,在执行 npm start.

时,如果不在运行时导致 'browserlist module not found' 错误,我似乎无法更新 browserlist

这是我的终端输出,一切就绪 运行 npm i

  npm i

> testpostcss@0.1.0 preinstall F:-Projects\testpostcss
> npx npm-force-resolutions

npx: installed 6 in 1.566s
npm WARN @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.14.5 requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself.    
npm WARN tsutils@3.21.0 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules\watchpack-chokidar2\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}) 
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules\webpack-dev-server\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

audited 2422 packages in 17.483s

141 packages are looking for funding
  run `npm fund` for details

found 1 moderate severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details
  seefe   testpostcss  master ≢  ~2   14.17.1  ﮫ 18.808s 
   npm audit

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  Moderate        Regular Expression Denial of Service                          

  Package         browserslist                                                  

  Patched in      >=4.16.5                                                      

  Dependency of   react-scripts                                                 

  Path            react-scripts > react-dev-utils > browserslist                

  More info       https://npmjs.com/advisories/1747                             

found 1 moderate severity vulnerability in 2422 scanned packages
  1 vulnerability requires manual review. See the full report for details.
  seefe   testpostcss  master ≢  ~2   14.17.1  ﮫ 2.442s   

我多次遇到这个烦人的错误,这就是我修复错误的方法,

第一个运行npm audit

然后大多数时候它会问我:npm ERR! audit 尝试先创建一个:npm i --package-lock-only

然后我输入 npm i --package-lock-only

而且大多数情况下都有效,不再有漏洞。

发生了错误,但我不知道真正的原因。 我提供的解决方案对我有效,没有更多的漏洞。

这是一张显示发生错误的图片 [1]: https://i.stack.imgur.com/JMED4.jpg

这是一张显示我使用的解决方案的图片。 [2]: https://i.stack.imgur.com/DQFUV.jpg

临时(希望)解决此问题的一种粗略方法是将其添加到依赖项和解决方案中。

将其添加到解决方案将完全停止安装 react-scripts 的依赖项(故意导致模块未找到错误)。

将其添加到依赖项将安装更新版本。

然后它会找到并使用安装的依赖(更新版本)作为反应脚本对构建的依赖。

"dependencies": {
    "browserslist": "^4.16.5",
}
"resolutions": {
    "browserslist": "4.16.5"
}