npm audit fix --force 永远无法避免漏洞
npm audit fix --force never able to avoid vulnerabilities
我遇到了 22 个或 47 个漏洞的情况。我可以 运行 npm audit fix 但我总是被建议 运行 --force switch 以便实际执行升级。从那里我可以升级并获得 22 个漏洞,然后我再次执行 --force 并获得 47 个漏洞,这个循环永远持续下去。什么是最好的出路,让包裹保持原样?
我的package.json
"dependencies": {
"animate.css": "^4.1.1",
"axios": "^0.21.1",
"bootstrap": "^4.5.3",
"http-proxy-middleware": "^0.19.1",
"react": "^17.0.1",
"react-dom": "^17.0.1",
"react-ga": "^3.3.0",
"react-router-dom": "^5.2.0",
"react-scripts": "^1.1.5",
"universal-cookie": "^4.0.4",
"web-vitals": "^0.2.4"
},
当我在一种情况下尝试 npm --audit fix 时:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! Found: type-fest@0.21.3
npm ERR! node_modules/type-fest
npm ERR! type-fest@"^0.21.3" from ansi-escapes@4.3.2
npm ERR! node_modules/ansi-escapes
npm ERR! ansi-escapes@"^4.2.1" from @jest/core@26.6.3
npm ERR! node_modules/@jest/core
npm ERR! @jest/core@"^26.6.0" from jest@26.6.0
npm ERR! node_modules/jest
npm ERR! peer jest@"^26.0.0" from jest-watch-typeahead@0.6.1
npm ERR! node_modules/jest-watch-typeahead
npm ERR! 1 more (react-scripts)
npm ERR! 1 more (jest-cli)
npm ERR! ansi-escapes@"^4.3.1" from jest-watch-typeahead@0.6.1
npm ERR! node_modules/jest-watch-typeahead
npm ERR! jest-watch-typeahead@"0.6.1" from react-scripts@4.0.3
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"^4.0.3" from the root project
npm ERR! 2 more (jest-watcher, terminal-link)
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peerOptional type-fest@"^0.13.1" from @pmmmwh/react-refresh-webpack-plugin@0.4.3
npm ERR! node_modules/@pmmmwh/react-refresh-webpack-plugin
npm ERR! @pmmmwh/react-refresh-webpack-plugin@"0.4.3" from react-scripts@4.0.3
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"^4.0.3" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
然后当我运行它接一个--force
# npm audit report
braces <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/anymatch/node_modules/braces
node_modules/jest-cli/node_modules/braces
node_modules/jest-haste-map/node_modules/braces
node_modules/jest-message-util/node_modules/braces
node_modules/jest-runtime/node_modules/braces
node_modules/test-exclude/node_modules/braces
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/anymatch/node_modules/micromatch
node_modules/jest-cli/node_modules/micromatch
node_modules/jest-haste-map/node_modules/micromatch
node_modules/jest-message-util/node_modules/micromatch
node_modules/jest-runtime/node_modules/micromatch
node_modules/test-exclude/node_modules/micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
Depends on vulnerable versions of micromatch
node_modules/jest-message-util
jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-matchers
Depends on vulnerable versions of jest-message-util
node_modules/jest-jasmine2
jest-config 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-jasmine2
node_modules/jest-config
jest-matchers >=18.5.0-alpha.7da3df39
Depends on vulnerable versions of jest-message-util
node_modules/jest-matchers
jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-util
jest-environment-jsdom 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-jsdom
jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-node
jest-snapshot 18.5.0-alpha.7da3df39 - 21.0.0-beta.1
Depends on vulnerable versions of jest-util
node_modules/jest-snapshot
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/glob-base/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/webpack-dev-server/node_modules/chokidar
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/anymatch/node_modules/micromatch
node_modules/jest-cli/node_modules/micromatch
node_modules/jest-haste-map/node_modules/micromatch
node_modules/jest-message-util/node_modules/micromatch
node_modules/jest-runtime/node_modules/micromatch
node_modules/test-exclude/node_modules/micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware
jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
Depends on vulnerable versions of micromatch
node_modules/jest-message-util
jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-matchers
Depends on vulnerable versions of jest-message-util
node_modules/jest-jasmine2
jest-config 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-jasmine2
node_modules/jest-config
jest-matchers >=18.5.0-alpha.7da3df39
Depends on vulnerable versions of jest-message-util
node_modules/jest-matchers
jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-util
jest-environment-jsdom 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-jsdom
jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-node
jest-snapshot 18.5.0-alpha.7da3df39 - 21.0.0-beta.1
Depends on vulnerable versions of jest-util
node_modules/jest-snapshot
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
js-yaml <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/svgo/node_modules/js-yaml
svgo 0.4.2 - 1.0.5
Depends on vulnerable versions of js-yaml
node_modules/svgo
postcss-svgo <=2.1.6
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano <=3.10.0
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
css-loader 0.15.0 - 0.28.11
Depends on vulnerable versions of cssnano
node_modules/css-loader
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
mem <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/webpack/node_modules/os-locale
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/webpack-dev-server/node_modules/yargs
node_modules/webpack/node_modules/yargs
node_modules/yargs
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
webpack 2.0.0-beta - 4.0.0-beta.3
Depends on vulnerable versions of yargs
node_modules/webpack
babel-loader 7.0.0-alpha.1 - 7.1.2 || 8.0.0-beta.0 - 8.0.0-beta.6
Depends on vulnerable versions of webpack
node_modules/babel-loader
extract-text-webpack-plugin 2.0.0-beta.0 - 3.0.2
Depends on vulnerable versions of webpack
node_modules/extract-text-webpack-plugin
file-loader 1.1.1 - 1.1.9
Depends on vulnerable versions of webpack
node_modules/file-loader
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
merge <2.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1666
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/merge
exec-sh <=0.3.1
Depends on vulnerable versions of merge
node_modules/exec-sh
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/normalize-url
postcss-normalize-url <=4.0.1
Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url
cssnano <=3.10.0
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
css-loader 0.15.0 - 0.28.11
Depends on vulnerable versions of cssnano
node_modules/css-loader
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
trim-newlines <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
sw-precache >=4.2.0
Depends on vulnerable versions of meow
node_modules/sw-precache
sw-precache-webpack-plugin >=0.8.0
Depends on vulnerable versions of sw-precache
node_modules/sw-precache-webpack-plugin
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.11.2
Severity: high
Missing Origin Validation - https://npmjs.com/advisories/725
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/webpack-dev-server
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
yargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/webpack-dev-server/node_modules/yargs-parser
node_modules/webpack/node_modules/yargs-parser
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/webpack-dev-server/node_modules/yargs
node_modules/webpack/node_modules/yargs
node_modules/yargs
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
webpack 2.0.0-beta - 4.0.0-beta.3
Depends on vulnerable versions of yargs
node_modules/webpack
babel-loader 7.0.0-alpha.1 - 7.1.2 || 8.0.0-beta.0 - 8.0.0-beta.6
Depends on vulnerable versions of webpack
node_modules/babel-loader
extract-text-webpack-plugin 2.0.0-beta.0 - 3.0.2
Depends on vulnerable versions of webpack
node_modules/extract-text-webpack-plugin
file-loader 1.1.1 - 1.1.9
Depends on vulnerable versions of webpack
node_modules/file-loader
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
你在一个循环中,因为 react-scripts@1 有一些易受攻击的依赖项,而 react-scripts@4 有不同的易受攻击的依赖项,所以你在它们之间来回跳动。第一次 运行 npm audit --fix,你更新到 react-scripts@4.x,当你再次 运行 时,它会将你降级到 react-scripts@1.x 以删除易受攻击的依赖项4.x 版本。
在撰写本文时,如果您 运行 npx create-react-app my-app,您会收到 react-scripts@4(以及关于 22 个漏洞的警告),所以可能 运行 npm audit --fix为了达到那个状态,运行 你的测试以确保没有任何问题,并时不时地去 https://www.npmjs.com/package/react-scripts 检查一个版本是否会影响依赖关系(and/eor 运行 npm audit时不时--fix看看会不会自动更新)。
我遇到了 22 个或 47 个漏洞的情况。我可以 运行 npm audit fix 但我总是被建议 运行 --force switch 以便实际执行升级。从那里我可以升级并获得 22 个漏洞,然后我再次执行 --force 并获得 47 个漏洞,这个循环永远持续下去。什么是最好的出路,让包裹保持原样?
我的package.json
"dependencies": {
"animate.css": "^4.1.1",
"axios": "^0.21.1",
"bootstrap": "^4.5.3",
"http-proxy-middleware": "^0.19.1",
"react": "^17.0.1",
"react-dom": "^17.0.1",
"react-ga": "^3.3.0",
"react-router-dom": "^5.2.0",
"react-scripts": "^1.1.5",
"universal-cookie": "^4.0.4",
"web-vitals": "^0.2.4"
},
当我在一种情况下尝试 npm --audit fix 时:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! Found: type-fest@0.21.3
npm ERR! node_modules/type-fest
npm ERR! type-fest@"^0.21.3" from ansi-escapes@4.3.2
npm ERR! node_modules/ansi-escapes
npm ERR! ansi-escapes@"^4.2.1" from @jest/core@26.6.3
npm ERR! node_modules/@jest/core
npm ERR! @jest/core@"^26.6.0" from jest@26.6.0
npm ERR! node_modules/jest
npm ERR! peer jest@"^26.0.0" from jest-watch-typeahead@0.6.1
npm ERR! node_modules/jest-watch-typeahead
npm ERR! 1 more (react-scripts)
npm ERR! 1 more (jest-cli)
npm ERR! ansi-escapes@"^4.3.1" from jest-watch-typeahead@0.6.1
npm ERR! node_modules/jest-watch-typeahead
npm ERR! jest-watch-typeahead@"0.6.1" from react-scripts@4.0.3
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"^4.0.3" from the root project
npm ERR! 2 more (jest-watcher, terminal-link)
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peerOptional type-fest@"^0.13.1" from @pmmmwh/react-refresh-webpack-plugin@0.4.3
npm ERR! node_modules/@pmmmwh/react-refresh-webpack-plugin
npm ERR! @pmmmwh/react-refresh-webpack-plugin@"0.4.3" from react-scripts@4.0.3
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"^4.0.3" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
然后当我运行它接一个--force
# npm audit report
braces <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/anymatch/node_modules/braces
node_modules/jest-cli/node_modules/braces
node_modules/jest-haste-map/node_modules/braces
node_modules/jest-message-util/node_modules/braces
node_modules/jest-runtime/node_modules/braces
node_modules/test-exclude/node_modules/braces
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/anymatch/node_modules/micromatch
node_modules/jest-cli/node_modules/micromatch
node_modules/jest-haste-map/node_modules/micromatch
node_modules/jest-message-util/node_modules/micromatch
node_modules/jest-runtime/node_modules/micromatch
node_modules/test-exclude/node_modules/micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
Depends on vulnerable versions of micromatch
node_modules/jest-message-util
jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-matchers
Depends on vulnerable versions of jest-message-util
node_modules/jest-jasmine2
jest-config 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-jasmine2
node_modules/jest-config
jest-matchers >=18.5.0-alpha.7da3df39
Depends on vulnerable versions of jest-message-util
node_modules/jest-matchers
jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-util
jest-environment-jsdom 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-jsdom
jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-node
jest-snapshot 18.5.0-alpha.7da3df39 - 21.0.0-beta.1
Depends on vulnerable versions of jest-util
node_modules/jest-snapshot
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/glob-base/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/webpack-dev-server/node_modules/chokidar
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/anymatch/node_modules/micromatch
node_modules/jest-cli/node_modules/micromatch
node_modules/jest-haste-map/node_modules/micromatch
node_modules/jest-message-util/node_modules/micromatch
node_modules/jest-runtime/node_modules/micromatch
node_modules/test-exclude/node_modules/micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware
jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
Depends on vulnerable versions of micromatch
node_modules/jest-message-util
jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-matchers
Depends on vulnerable versions of jest-message-util
node_modules/jest-jasmine2
jest-config 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-jasmine2
node_modules/jest-config
jest-matchers >=18.5.0-alpha.7da3df39
Depends on vulnerable versions of jest-message-util
node_modules/jest-matchers
jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-util
jest-environment-jsdom 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-jsdom
jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-node
jest-snapshot 18.5.0-alpha.7da3df39 - 21.0.0-beta.1
Depends on vulnerable versions of jest-util
node_modules/jest-snapshot
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
js-yaml <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/svgo/node_modules/js-yaml
svgo 0.4.2 - 1.0.5
Depends on vulnerable versions of js-yaml
node_modules/svgo
postcss-svgo <=2.1.6
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano <=3.10.0
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
css-loader 0.15.0 - 0.28.11
Depends on vulnerable versions of cssnano
node_modules/css-loader
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
mem <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/webpack/node_modules/os-locale
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/webpack-dev-server/node_modules/yargs
node_modules/webpack/node_modules/yargs
node_modules/yargs
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
webpack 2.0.0-beta - 4.0.0-beta.3
Depends on vulnerable versions of yargs
node_modules/webpack
babel-loader 7.0.0-alpha.1 - 7.1.2 || 8.0.0-beta.0 - 8.0.0-beta.6
Depends on vulnerable versions of webpack
node_modules/babel-loader
extract-text-webpack-plugin 2.0.0-beta.0 - 3.0.2
Depends on vulnerable versions of webpack
node_modules/extract-text-webpack-plugin
file-loader 1.1.1 - 1.1.9
Depends on vulnerable versions of webpack
node_modules/file-loader
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
merge <2.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1666
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/merge
exec-sh <=0.3.1
Depends on vulnerable versions of merge
node_modules/exec-sh
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/normalize-url
postcss-normalize-url <=4.0.1
Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url
cssnano <=3.10.0
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
css-loader 0.15.0 - 0.28.11
Depends on vulnerable versions of cssnano
node_modules/css-loader
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
trim-newlines <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
sw-precache >=4.2.0
Depends on vulnerable versions of meow
node_modules/sw-precache
sw-precache-webpack-plugin >=0.8.0
Depends on vulnerable versions of sw-precache
node_modules/sw-precache-webpack-plugin
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.11.2
Severity: high
Missing Origin Validation - https://npmjs.com/advisories/725
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/webpack-dev-server
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
yargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/webpack-dev-server/node_modules/yargs-parser
node_modules/webpack/node_modules/yargs-parser
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/webpack-dev-server/node_modules/yargs
node_modules/webpack/node_modules/yargs
node_modules/yargs
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
webpack 2.0.0-beta - 4.0.0-beta.3
Depends on vulnerable versions of yargs
node_modules/webpack
babel-loader 7.0.0-alpha.1 - 7.1.2 || 8.0.0-beta.0 - 8.0.0-beta.6
Depends on vulnerable versions of webpack
node_modules/babel-loader
extract-text-webpack-plugin 2.0.0-beta.0 - 3.0.2
Depends on vulnerable versions of webpack
node_modules/extract-text-webpack-plugin
file-loader 1.1.1 - 1.1.9
Depends on vulnerable versions of webpack
node_modules/file-loader
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
你在一个循环中,因为 react-scripts@1 有一些易受攻击的依赖项,而 react-scripts@4 有不同的易受攻击的依赖项,所以你在它们之间来回跳动。第一次 运行 npm audit --fix,你更新到 react-scripts@4.x,当你再次 运行 时,它会将你降级到 react-scripts@1.x 以删除易受攻击的依赖项4.x 版本。
在撰写本文时,如果您 运行 npx create-react-app my-app,您会收到 react-scripts@4(以及关于 22 个漏洞的警告),所以可能 运行 npm audit --fix为了达到那个状态,运行 你的测试以确保没有任何问题,并时不时地去 https://www.npmjs.com/package/react-scripts 检查一个版本是否会影响依赖关系(and/eor 运行 npm audit时不时--fix看看会不会自动更新)。