更新包后 NPM 手动审查不起作用
NPM manual review not working after updating packages
我下载了 node-sass,然后我收到这条消息“在 1869 个扫描包中发现了 9 个漏洞(4 个中等,5 个高)
9个漏洞需要人工审核。有关详细信息,请参阅完整报告。”问题是我尝试按照很多人的建议使用 npm install <packagename>@version --save-dev 手动安装每个新版本,但我仍然收到相同的警告消息,有 4 个中等漏洞和 5 个高漏洞,所以它不起作用。
我也尝试了 npm update、npm audit fix 和 npm audit fix --force,但没有成功。
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=7.0.36 <8.0.0 || >=8.2.10
Dependency of react-scripts
Path react-scripts > resolve-url-loader > postcss
More info https://npmjs.com/advisories/1693
Moderate Regular Expression Denial of Service
Package browserslist
Patched in >=4.16.5
Dependency of react-scripts
Path react-scripts > react-dev-utils > browserslist
More info https://npmjs.com/advisories/1747
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of react-scripts
Path react-scripts > webpack > watchpack > watchpack-chokidar2 >
chokidar > glob-parent
More info https://npmjs.com/advisories/1751
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of react-scripts
Path react-scripts > webpack-dev-server > chokidar > glob-parent
More info https://npmjs.com/advisories/1751
High Regular Expression Denial of Service
Package trim-newlines
Patched in >=3.0.1 <4.0.0 || >=4.0.1
Dependency of node-sass
Path node-sass > meow > trim-newlines
More info https://npmjs.com/advisories/1753
High Denial of Service
Package css-what
Patched in >=5.0.1
Dependency of react-scripts
Path react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo >
css-select > css-what
More info https://npmjs.com/advisories/1754
High Denial of Service
Package css-what
Patched in >=5.0.1
Dependency of react-scripts
Path react-scripts > optimize-css-assets-webpack-plugin > cssnano
> cssnano-preset-default > postcss-svgo > svgo > css-select
> css-what
More info https://npmjs.com/advisories/1754
High Regular Expression Denial of Service
Package normalize-url
Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1
Dependency of react-scripts
Path react-scripts > mini-css-extract-plugin > normalize-url
More info https://npmjs.com/advisories/1755
High Regular Expression Denial of Service
Package normalize-url
Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1
Dependency of react-scripts
Path react-scripts > optimize-css-assets-webpack-plugin > cssnano
> cssnano-preset-default > postcss-normalize-url >
normalize-url
More info https://npmjs.com/advisories/1755
套餐json
{
"name": "wineharvest",
"version": "0.1.0",
"private": true,
"dependencies": {
"@testing-library/jest-dom": "^5.11.4",
"@testing-library/react": "^11.1.0",
"@testing-library/user-event": "^12.1.10",
"node-sass": "^4.14.1",
"normalize-url": "^4.5.1",
"react": "^17.0.2",
"react-dom": "^17.0.2",
"react-scripts": "4.0.3",
"web-vitals": "^1.0.1"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"eslintConfig": {
"extends": [
"react-app",
"react-app/jest"
]
},
"browserslist": {
"production": [
">0.2%",
"not dead",
"not op_mini all"
],
"development": [
"last 1 chrome version",
"last 1 firefox version",
"last 1 safari version"
]
},
"devDependencies": {
"glob-parent": "^5.1.2",
"postcss": "^7.0.36"
}
}
知道我该怎么做吗?
更新: 经过几个小时的研究,我找到了解决方案。如果没有任何效果,请安装给您带来问题的软件包,例如 npm install postcss --save-dev。然后,将其添加到您的 package.json 文件中:
{
"resolutions": {
"postcss": "^7.0.36"
}
}
如果您正在使用 npm,那么您也应该将其添加到您的脚本中:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
如前所述,安装软件包并将它们添加到 package.json 后,您就可以 运行 npm install。您应该能够看到 0 个漏洞。
有关详细信息,请参阅解释所有这些内容的来源:source for this issue
我下载了 node-sass,然后我收到这条消息“在 1869 个扫描包中发现了 9 个漏洞(4 个中等,5 个高)
9个漏洞需要人工审核。有关详细信息,请参阅完整报告。”问题是我尝试按照很多人的建议使用 npm install <packagename>@version --save-dev 手动安装每个新版本,但我仍然收到相同的警告消息,有 4 个中等漏洞和 5 个高漏洞,所以它不起作用。
我也尝试了 npm update、npm audit fix 和 npm audit fix --force,但没有成功。
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=7.0.36 <8.0.0 || >=8.2.10
Dependency of react-scripts
Path react-scripts > resolve-url-loader > postcss
More info https://npmjs.com/advisories/1693
Moderate Regular Expression Denial of Service
Package browserslist
Patched in >=4.16.5
Dependency of react-scripts
Path react-scripts > react-dev-utils > browserslist
More info https://npmjs.com/advisories/1747
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of react-scripts
Path react-scripts > webpack > watchpack > watchpack-chokidar2 >
chokidar > glob-parent
More info https://npmjs.com/advisories/1751
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of react-scripts
Path react-scripts > webpack-dev-server > chokidar > glob-parent
More info https://npmjs.com/advisories/1751
High Regular Expression Denial of Service
Package trim-newlines
Patched in >=3.0.1 <4.0.0 || >=4.0.1
Dependency of node-sass
Path node-sass > meow > trim-newlines
More info https://npmjs.com/advisories/1753
High Denial of Service
Package css-what
Patched in >=5.0.1
Dependency of react-scripts
Path react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo >
css-select > css-what
More info https://npmjs.com/advisories/1754
High Denial of Service
Package css-what
Patched in >=5.0.1
Dependency of react-scripts
Path react-scripts > optimize-css-assets-webpack-plugin > cssnano
> cssnano-preset-default > postcss-svgo > svgo > css-select
> css-what
More info https://npmjs.com/advisories/1754
High Regular Expression Denial of Service
Package normalize-url
Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1
Dependency of react-scripts
Path react-scripts > mini-css-extract-plugin > normalize-url
More info https://npmjs.com/advisories/1755
High Regular Expression Denial of Service
Package normalize-url
Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1
Dependency of react-scripts
Path react-scripts > optimize-css-assets-webpack-plugin > cssnano
> cssnano-preset-default > postcss-normalize-url >
normalize-url
More info https://npmjs.com/advisories/1755
套餐json
{
"name": "wineharvest",
"version": "0.1.0",
"private": true,
"dependencies": {
"@testing-library/jest-dom": "^5.11.4",
"@testing-library/react": "^11.1.0",
"@testing-library/user-event": "^12.1.10",
"node-sass": "^4.14.1",
"normalize-url": "^4.5.1",
"react": "^17.0.2",
"react-dom": "^17.0.2",
"react-scripts": "4.0.3",
"web-vitals": "^1.0.1"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"eslintConfig": {
"extends": [
"react-app",
"react-app/jest"
]
},
"browserslist": {
"production": [
">0.2%",
"not dead",
"not op_mini all"
],
"development": [
"last 1 chrome version",
"last 1 firefox version",
"last 1 safari version"
]
},
"devDependencies": {
"glob-parent": "^5.1.2",
"postcss": "^7.0.36"
}
}
知道我该怎么做吗?
更新: 经过几个小时的研究,我找到了解决方案。如果没有任何效果,请安装给您带来问题的软件包,例如 npm install postcss --save-dev。然后,将其添加到您的 package.json 文件中:
{
"resolutions": {
"postcss": "^7.0.36"
}
}
如果您正在使用 npm,那么您也应该将其添加到您的脚本中:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
如前所述,安装软件包并将它们添加到 package.json 后,您就可以 运行 npm install。您应该能够看到 0 个漏洞。
有关详细信息,请参阅解释所有这些内容的来源:source for this issue