ReactJS:运行 创建 react-app 时存在中等严重性漏洞
ReactJS : Moderate severity vulnerabilities while running create react-app
在 运行ning npx create-react-app my-app 时,我遇到了 10 个中等严重程度的漏洞。即使在 运行ning npm audit fix 或 npm audit fix --force 之后也无法修复。当我 运行 npm audit fix --force 我得到更多 44 个漏洞(25 个低,5 个中等,14 个高),然后如果我 运行 相同的命令修复我得到 10 个中等严重性漏洞。每次我 运行 命令时,这都会循环进行。
$ npm audit
# npm audit report
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/webpack-dev-server
@pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-rc.6
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts/node_modules/@pmmmwh/react-refresh-webpack-plugin
10 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
你必须 运行 npm audit --production 而不是 npm audit。这是一个没有真正修复的已知问题。这些都应该在您的 devDependencies 中,并且不会对您的生产构建产生任何安全影响。
阅读更多关于开发依赖与依赖的信息here。
在 react-create-app Github 阅读更多相关信息。
这些漏洞似乎来自开发依赖项,因此您可能不必修复它们。
丹·阿布拉莫夫 (Dan Abramov) 是 React 开发人员之一,也是 Redux 的创建者,他写了一篇文章对此进行了解释
https://overreacted.io/npm-audit-broken-by-design/
在 运行ning npx create-react-app my-app 时,我遇到了 10 个中等严重程度的漏洞。即使在 运行ning npm audit fix 或 npm audit fix --force 之后也无法修复。当我 运行 npm audit fix --force 我得到更多 44 个漏洞(25 个低,5 个中等,14 个高),然后如果我 运行 相同的命令修复我得到 10 个中等严重性漏洞。每次我 运行 命令时,这都会循环进行。
$ npm audit
# npm audit report
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/webpack-dev-server
@pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-rc.6
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts/node_modules/@pmmmwh/react-refresh-webpack-plugin
10 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
你必须 运行 npm audit --production 而不是 npm audit。这是一个没有真正修复的已知问题。这些都应该在您的 devDependencies 中,并且不会对您的生产构建产生任何安全影响。
阅读更多关于开发依赖与依赖的信息here。
在 react-create-app Github 阅读更多相关信息。
这些漏洞似乎来自开发依赖项,因此您可能不必修复它们。
丹·阿布拉莫夫 (Dan Abramov) 是 React 开发人员之一,也是 Redux 的创建者,他写了一篇文章对此进行了解释 https://overreacted.io/npm-audit-broken-by-design/