程序员经验分享-hwhale

npm 审核修复 --force 永远无法避免漏洞

2023-11-24

我陷入了这样的境地:要么有 22 个漏洞,要么有 47 个漏洞。我可以运行npm audit fix但我总是建议运行--force切换以便实际执行升级。从那里我可以升级并获得 22 个漏洞,然后执行--force再次获得 47 个漏洞,这个循环永远持续下去。最好的解决办法是什么,让包裹保持原样?

我的包.json

  "dependencies": {
    "animate.css": "^4.1.1",
    "axios": "^0.21.1",
    "bootstrap": "^4.5.3",
    "http-proxy-middleware": "^0.19.1",
    "react": "^17.0.1",
    "react-dom": "^17.0.1",
    "react-ga": "^3.3.0",
    "react-router-dom": "^5.2.0",
    "react-scripts": "^1.1.5",
    "universal-cookie": "^4.0.4",
    "web-vitals": "^0.2.4"
  },

当我尝试时npm --audit fix在一种情况下:

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! Found: [email protected]
npm ERR! node_modules/type-fest
npm ERR!   type-fest@"^0.21.3" from [email protected]
npm ERR!   node_modules/ansi-escapes
npm ERR!     ansi-escapes@"^4.2.1" from @jest/[email protected]
npm ERR!     node_modules/@jest/core
npm ERR!       @jest/core@"^26.6.0" from [email protected]
npm ERR!       node_modules/jest
npm ERR!         peer jest@"^26.0.0" from [email protected]
npm ERR!         node_modules/jest-watch-typeahead
npm ERR!         1 more (react-scripts)
npm ERR!       1 more (jest-cli)
npm ERR!     ansi-escapes@"^4.3.1" from [email protected]
npm ERR!     node_modules/jest-watch-typeahead
npm ERR!       jest-watch-typeahead@"0.6.1" from [email protected]
npm ERR!       node_modules/react-scripts
npm ERR!         react-scripts@"^4.0.3" from the root project
npm ERR!     2 more (jest-watcher, terminal-link)
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peerOptional type-fest@"^0.13.1" from @pmmmwh/react-re[email protected]
npm ERR! node_modules/@pmmmwh/react-refresh-webpack-plugin
npm ERR!   @pmmmwh/react-refresh-webpack-plugin@"0.4.3" from [email protected]
npm ERR!   node_modules/react-scripts
npm ERR!     react-scripts@"^4.0.3" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.

然后当我一个又一个地运行它时--force

# npm audit report

braces  <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/anymatch/node_modules/braces
node_modules/jest-cli/node_modules/braces
node_modules/jest-haste-map/node_modules/braces
node_modules/jest-message-util/node_modules/braces
node_modules/jest-runtime/node_modules/braces
node_modules/test-exclude/node_modules/braces
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/braces
  micromatch  0.2.0 - 2.3.11
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of parse-glob
  node_modules/anymatch/node_modules/micromatch
  node_modules/jest-cli/node_modules/micromatch
  node_modules/jest-haste-map/node_modules/micromatch
  node_modules/jest-message-util/node_modules/micromatch
  node_modules/jest-runtime/node_modules/micromatch
  node_modules/test-exclude/node_modules/micromatch
  node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/micromatch
    anymatch  1.2.0 - 1.3.2
    Depends on vulnerable versions of micromatch
    node_modules/anymatch
      sane  1.0.4 - 4.0.1
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of exec-sh
      node_modules/sane
        jest-haste-map  16.1.0-alpha.691b0e22 - 24.0.0
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of sane
        node_modules/jest-haste-map
          jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-jasmine2
          Depends on vulnerable versions of jest-message-util
          Depends on vulnerable versions of jest-snapshot
          Depends on vulnerable versions of micromatch
          Depends on vulnerable versions of yargs
          node_modules/jest-cli
            jest  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
            Depends on vulnerable versions of jest-cli
            node_modules/jest
              react-scripts  0.1.0 - 2.1.8
              Depends on vulnerable versions of babel-jest
              Depends on vulnerable versions of css-loader
              Depends on vulnerable versions of file-loader
              Depends on vulnerable versions of jest
              Depends on vulnerable versions of sw-precache-webpack-plugin
              Depends on vulnerable versions of webpack
              Depends on vulnerable versions of webpack-dev-server
              node_modules/react-scripts
          jest-runtime  12.1.1-alpha.2935e14d - 24.8.0
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of babel-plugin-istanbul
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-util
          Depends on vulnerable versions of micromatch
          Depends on vulnerable versions of yargs
          node_modules/jest-runtime
    http-proxy-middleware  0.3.0 - 0.17.4
    Depends on vulnerable versions of micromatch
    node_modules/webpack-dev-server/node_modules/http-proxy-middleware
      webpack-dev-server  <=3.11.2
      Depends on vulnerable versions of chokidar
      Depends on vulnerable versions of http-proxy-middleware
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of yargs
      node_modules/webpack-dev-server
    jest-message-util  18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
    Depends on vulnerable versions of micromatch
    node_modules/jest-message-util
      jest-jasmine2  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
      Depends on vulnerable versions of jest-matchers
      Depends on vulnerable versions of jest-message-util
      node_modules/jest-jasmine2
        jest-config  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
        Depends on vulnerable versions of jest-jasmine2
        node_modules/jest-config
      jest-matchers  >=18.5.0-alpha.7da3df39
      Depends on vulnerable versions of jest-message-util
      node_modules/jest-matchers
      jest-util  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
      Depends on vulnerable versions of jest-message-util
      node_modules/jest-util
        jest-environment-jsdom  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
        Depends on vulnerable versions of jest-util
        node_modules/jest-environment-jsdom
        jest-environment-node  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
        Depends on vulnerable versions of jest-util
        node_modules/jest-environment-node
        jest-snapshot  18.5.0-alpha.7da3df39 - 21.0.0-beta.1
        Depends on vulnerable versions of jest-util
        node_modules/jest-snapshot
    test-exclude  <=4.2.3
    Depends on vulnerable versions of micromatch
    node_modules/test-exclude
      babel-plugin-istanbul  <=5.0.0
      Depends on vulnerable versions of test-exclude
      node_modules/babel-plugin-istanbul
        babel-jest  14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
        Depends on vulnerable versions of babel-plugin-istanbul
        node_modules/babel-jest

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-base/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/webpack-dev-server/node_modules/chokidar
    webpack-dev-server  <=3.11.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of http-proxy-middleware
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of yargs
    node_modules/webpack-dev-server
      react-scripts  0.1.0 - 2.1.8
      Depends on vulnerable versions of babel-jest
      Depends on vulnerable versions of css-loader
      Depends on vulnerable versions of file-loader
      Depends on vulnerable versions of jest
      Depends on vulnerable versions of sw-precache-webpack-plugin
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/react-scripts
  glob-base  *
  Depends on vulnerable versions of glob-parent
  node_modules/glob-base
    parse-glob  >=2.1.0
    Depends on vulnerable versions of glob-base
    node_modules/parse-glob
      micromatch  0.2.0 - 2.3.11
      Depends on vulnerable versions of braces
      Depends on vulnerable versions of parse-glob
      node_modules/anymatch/node_modules/micromatch
      node_modules/jest-cli/node_modules/micromatch
      node_modules/jest-haste-map/node_modules/micromatch
      node_modules/jest-message-util/node_modules/micromatch
      node_modules/jest-runtime/node_modules/micromatch
      node_modules/test-exclude/node_modules/micromatch
      node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/micromatch
        anymatch  1.2.0 - 1.3.2
        Depends on vulnerable versions of micromatch
        node_modules/anymatch
          sane  1.0.4 - 4.0.1
          Depends on vulnerable versions of anymatch
          Depends on vulnerable versions of exec-sh
          node_modules/sane
            jest-haste-map  16.1.0-alpha.691b0e22 - 24.0.0
            Depends on vulnerable versions of micromatch
            Depends on vulnerable versions of sane
            node_modules/jest-haste-map
              jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-jasmine2
              Depends on vulnerable versions of jest-message-util
              Depends on vulnerable versions of jest-snapshot
              Depends on vulnerable versions of micromatch
              Depends on vulnerable versions of yargs
              node_modules/jest-cli
                jest  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
                Depends on vulnerable versions of jest-cli
                node_modules/jest
              jest-runtime  12.1.1-alpha.2935e14d - 24.8.0
              Depends on vulnerable versions of babel-jest
              Depends on vulnerable versions of babel-plugin-istanbul
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-util
              Depends on vulnerable versions of micromatch
              Depends on vulnerable versions of yargs
              node_modules/jest-runtime
        http-proxy-middleware  0.3.0 - 0.17.4
        Depends on vulnerable versions of micromatch
        node_modules/webpack-dev-server/node_modules/http-proxy-middleware
        jest-message-util  18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
        Depends on vulnerable versions of micromatch
        node_modules/jest-message-util
          jest-jasmine2  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
          Depends on vulnerable versions of jest-matchers
          Depends on vulnerable versions of jest-message-util
          node_modules/jest-jasmine2
            jest-config  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
            Depends on vulnerable versions of jest-jasmine2
            node_modules/jest-config
          jest-matchers  >=18.5.0-alpha.7da3df39
          Depends on vulnerable versions of jest-message-util
          node_modules/jest-matchers
          jest-util  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
          Depends on vulnerable versions of jest-message-util
          node_modules/jest-util
            jest-environment-jsdom  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
            Depends on vulnerable versions of jest-util
            node_modules/jest-environment-jsdom
            jest-environment-node  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
            Depends on vulnerable versions of jest-util
            node_modules/jest-environment-node
            jest-snapshot  18.5.0-alpha.7da3df39 - 21.0.0-beta.1
            Depends on vulnerable versions of jest-util
            node_modules/jest-snapshot
        test-exclude  <=4.2.3
        Depends on vulnerable versions of micromatch
        node_modules/test-exclude
          babel-plugin-istanbul  <=5.0.0
          Depends on vulnerable versions of test-exclude
          node_modules/babel-plugin-istanbul
            babel-jest  14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
            Depends on vulnerable versions of babel-plugin-istanbul
            node_modules/babel-jest

js-yaml  <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/js-yaml
  svgo  0.4.2 - 1.0.5
  Depends on vulnerable versions of js-yaml
  node_modules/svgo
    postcss-svgo  <=2.1.6
    Depends on vulnerable versions of svgo
    node_modules/postcss-svgo
      cssnano  <=3.10.0
      Depends on vulnerable versions of postcss-normalize-url
      Depends on vulnerable versions of postcss-svgo
      node_modules/cssnano
        css-loader  0.15.0 - 0.28.11
        Depends on vulnerable versions of cssnano
        node_modules/css-loader
          react-scripts  0.1.0 - 2.1.8
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of css-loader
          Depends on vulnerable versions of file-loader
          Depends on vulnerable versions of jest
          Depends on vulnerable versions of sw-precache-webpack-plugin
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts

mem  <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/mem
  os-locale  2.0.0 - 3.0.0
  Depends on vulnerable versions of mem
  node_modules/webpack/node_modules/os-locale
    yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
    Depends on vulnerable versions of os-locale
    Depends on vulnerable versions of yargs-parser
    node_modules/webpack-dev-server/node_modules/yargs
    node_modules/webpack/node_modules/yargs
    node_modules/yargs
      jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
      Depends on vulnerable versions of jest-haste-map
      Depends on vulnerable versions of jest-jasmine2
      Depends on vulnerable versions of jest-message-util
      Depends on vulnerable versions of jest-snapshot
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of yargs
      node_modules/jest-cli
        jest  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
        Depends on vulnerable versions of jest-cli
        node_modules/jest
          react-scripts  0.1.0 - 2.1.8
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of css-loader
          Depends on vulnerable versions of file-loader
          Depends on vulnerable versions of jest
          Depends on vulnerable versions of sw-precache-webpack-plugin
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
      jest-runtime  12.1.1-alpha.2935e14d - 24.8.0
      Depends on vulnerable versions of babel-jest
      Depends on vulnerable versions of babel-plugin-istanbul
      Depends on vulnerable versions of jest-haste-map
      Depends on vulnerable versions of jest-util
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of yargs
      node_modules/jest-runtime
      webpack  2.0.0-beta - 4.0.0-beta.3
      Depends on vulnerable versions of yargs
      node_modules/webpack
        babel-loader  7.0.0-alpha.1 - 7.1.2 || 8.0.0-beta.0 - 8.0.0-beta.6
        Depends on vulnerable versions of webpack
        node_modules/babel-loader
        extract-text-webpack-plugin  2.0.0-beta.0 - 3.0.2
        Depends on vulnerable versions of webpack
        node_modules/extract-text-webpack-plugin
        file-loader  1.1.1 - 1.1.9
        Depends on vulnerable versions of webpack
        node_modules/file-loader
        webpack-dev-server  <=3.11.2
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of http-proxy-middleware
        Depends on vulnerable versions of webpack
        Depends on vulnerable versions of yargs
        node_modules/webpack-dev-server

merge  <2.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1666
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/merge
  exec-sh  <=0.3.1
  Depends on vulnerable versions of merge
  node_modules/exec-sh
    sane  1.0.4 - 4.0.1
    Depends on vulnerable versions of anymatch
    Depends on vulnerable versions of exec-sh
    node_modules/sane
      jest-haste-map  16.1.0-alpha.691b0e22 - 24.0.0
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of sane
      node_modules/jest-haste-map
        jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
        Depends on vulnerable versions of jest-haste-map
        Depends on vulnerable versions of jest-jasmine2
        Depends on vulnerable versions of jest-message-util
        Depends on vulnerable versions of jest-snapshot
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of yargs
        node_modules/jest-cli
          jest  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
          Depends on vulnerable versions of jest-cli
          node_modules/jest
            react-scripts  0.1.0 - 2.1.8
            Depends on vulnerable versions of babel-jest
            Depends on vulnerable versions of css-loader
            Depends on vulnerable versions of file-loader
            Depends on vulnerable versions of jest
            Depends on vulnerable versions of sw-precache-webpack-plugin
            Depends on vulnerable versions of webpack
            Depends on vulnerable versions of webpack-dev-server
            node_modules/react-scripts
        jest-runtime  12.1.1-alpha.2935e14d - 24.8.0
        Depends on vulnerable versions of babel-jest
        Depends on vulnerable versions of babel-plugin-istanbul
        Depends on vulnerable versions of jest-haste-map
        Depends on vulnerable versions of jest-util
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of yargs
        node_modules/jest-runtime

normalize-url  <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/normalize-url
  postcss-normalize-url  <=4.0.1
  Depends on vulnerable versions of normalize-url
  node_modules/postcss-normalize-url
    cssnano  <=3.10.0
    Depends on vulnerable versions of postcss-normalize-url
    Depends on vulnerable versions of postcss-svgo
    node_modules/cssnano
      css-loader  0.15.0 - 0.28.11
      Depends on vulnerable versions of cssnano
      node_modules/css-loader
        react-scripts  0.1.0 - 2.1.8
        Depends on vulnerable versions of babel-jest
        Depends on vulnerable versions of css-loader
        Depends on vulnerable versions of file-loader
        Depends on vulnerable versions of jest
        Depends on vulnerable versions of sw-precache-webpack-plugin
        Depends on vulnerable versions of webpack
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts

trim-newlines  <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow
    sw-precache  >=4.2.0
    Depends on vulnerable versions of meow
    node_modules/sw-precache
      sw-precache-webpack-plugin  >=0.8.0
      Depends on vulnerable versions of sw-precache
      node_modules/sw-precache-webpack-plugin
        react-scripts  0.1.0 - 2.1.8
        Depends on vulnerable versions of babel-jest
        Depends on vulnerable versions of css-loader
        Depends on vulnerable versions of file-loader
        Depends on vulnerable versions of jest
        Depends on vulnerable versions of sw-precache-webpack-plugin
        Depends on vulnerable versions of webpack
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts

webpack-dev-server  <=3.11.2
Severity: high
Missing Origin Validation - https://npmjs.com/advisories/725
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/webpack-dev-server
  react-scripts  0.1.0 - 2.1.8
  Depends on vulnerable versions of babel-jest
  Depends on vulnerable versions of css-loader
  Depends on vulnerable versions of file-loader
  Depends on vulnerable versions of jest
  Depends on vulnerable versions of sw-precache-webpack-plugin
  Depends on vulnerable versions of webpack
  Depends on vulnerable versions of webpack-dev-server
  node_modules/react-scripts

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/webpack-dev-server/node_modules/yargs-parser
node_modules/webpack/node_modules/yargs-parser
node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of os-locale
  Depends on vulnerable versions of yargs-parser
  node_modules/webpack-dev-server/node_modules/yargs
  node_modules/webpack/node_modules/yargs
  node_modules/yargs
    jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
    Depends on vulnerable versions of jest-haste-map
    Depends on vulnerable versions of jest-jasmine2
    Depends on vulnerable versions of jest-message-util
    Depends on vulnerable versions of jest-snapshot
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of yargs
    node_modules/jest-cli
      jest  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
      Depends on vulnerable versions of jest-cli
      node_modules/jest
        react-scripts  0.1.0 - 2.1.8
        Depends on vulnerable versions of babel-jest
        Depends on vulnerable versions of css-loader
        Depends on vulnerable versions of file-loader
        Depends on vulnerable versions of jest
        Depends on vulnerable versions of sw-precache-webpack-plugin
        Depends on vulnerable versions of webpack
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts
    jest-runtime  12.1.1-alpha.2935e14d - 24.8.0
    Depends on vulnerable versions of babel-jest
    Depends on vulnerable versions of babel-plugin-istanbul
    Depends on vulnerable versions of jest-haste-map
    Depends on vulnerable versions of jest-util
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of yargs
    node_modules/jest-runtime
    webpack  2.0.0-beta - 4.0.0-beta.3
    Depends on vulnerable versions of yargs
    node_modules/webpack
      babel-loader  7.0.0-alpha.1 - 7.1.2 || 8.0.0-beta.0 - 8.0.0-beta.6
      Depends on vulnerable versions of webpack
      node_modules/babel-loader
      extract-text-webpack-plugin  2.0.0-beta.0 - 3.0.2
      Depends on vulnerable versions of webpack
      node_modules/extract-text-webpack-plugin
      file-loader  1.1.1 - 1.1.9
      Depends on vulnerable versions of webpack
      node_modules/file-loader
      webpack-dev-server  <=3.11.2
      Depends on vulnerable versions of chokidar
      Depends on vulnerable versions of http-proxy-middleware
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of yargs
      node_modules/webpack-dev-server

你陷入了循环,因为react-scripts@1有一些脆弱的依赖项并且react-scripts@4具有不同的易受攻击的依赖项,因此您需要在它们之间来回切换。 第一次跑步时npm audit fix --force,您更新为[email protected],当您再次运行它时,它会将您降级为[email protected]删除 4.x 版本中易受攻击的依赖项。

截至撰写本文时,如果您运行npx create-react-app my-app, 你得到react-scripts@4(以及关于 22 个漏洞的警告)所以也许可以运行npm audit fix --force要达到该状态,请运行测试以确保没有损坏,然后转到https://www.npmjs.com/package/react-scripts时不时地检查是否有版本会增加依赖项(和/或运行npm audit有时没有--force查看它是否自动更新)。

本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

nodejs

ReactJS

npm

WEBPACK

npmaudit

npm 审核修复 --force 永远无法避免漏洞 的相关文章

  • 如何在 React 组件中使用 CDN

    我正在尝试使用基于 D3 构建的库 称为 Greuler 来动态渲染图形 它的 npm 包似乎已损坏 当我改用 Greuler CDN 时 index html 中的测试图终于起作用了 但是 我正在开发一个 React 应用程序 并且我希望

  • 通过在 body、mongoose/mongodb 中提供文档来更新多个文档

    我需要通过在正文中提供一些文档来更新它们 我无法查询它们 必须提供它们 Example var persons id 1 name Joe active false id 2 name Jane active false 该数据在正文中提供

  • 反应本机套接字 io 没有从客户端发出事件

    尝试将socket io client与react native 现在是ios 一起使用 到目前为止 连接 从客户端接收服务器端事件似乎工作正常 但是我似乎无法从客户端发出任何事件 Client var socket io http loc

  • 如何从CDN注入外部JS到Jest单元测试?

    我有 npm 和 webpack 的反应应用程序 我正在尝试向其添加单元测试 我使用的是包含在我的index html 中的CDN 的jQuery 而不是使用节点模块 我在组件中使用 jQueryTest1我向其中添加了单元测试用例 现在

  • React:在哪里扩展对象原型

    我使用创建了一个纯 React 应用程序创建反应应用程序 https github com facebookincubator create react app 我想延长String类并在一个或多个组件中使用它 例如 String prot

  • 通过套接字的身份验证方法

    我正在尝试通过套接字进行身份验证sailsjs and passport 挑战似乎在于套接字连接没有会话 并且 sailsjs 模拟请求对象 导致它没有 Passport 中间件设置 这导致nodejs抛出一个错误 说req对象没有调用的方

  • 如何在 Express (NodeJS) 中验证和处理表单

    Express 是否有首选的表单处理和验证库 我真的在寻找与 Django 表单中类似的抽象级别 即模板中的验证和错误报告 如果可以在客户端使用相同的验证 那就太好了 有人用过或者写过什么好东西吗 看起来有一个模块位于https githu

  • 使用 node-sass 监视整个目录时指定输出文件名

    目前 我可以在查看单个 SCSS 文件时使用 package json 文件中的 node sass build 命令指定文件名 sass build node sass src scss main scss dist css main m

  • Mac OS X Yosemite 中的 Node.js dtrace 错误

    我在 Mac OS X 10 10 Yosemite 上尝试使用 DTrace Node js 应用程序 sudo dtrace n profile 97 execname node arg1 jstack 150 8000 count t

  • Heroku 应用程序上的 Nodejs Express EACCES 0.0.0.0:80

    我正在尝试在他们的网站上新创建的 Heroku 应用程序上运行 Node 应用程序 我按照他们的步骤操作 但在显示应用程序状态时仍然遇到错误 我跟着Node js 入门 https devcenter heroku com articles

  • Electron webContentsexecuteJavaScript:无法在 loadURL 上第二个执行脚本

    我正在测试 Electron 特别是使用executeJavaScript 我的项目使用 POST 请求登录网站 然后执行一些工作并使用同一会话加载第二个 URL 在第二个 URL 中 我需要执行 JS 但我不确定我做错了什么 在此示例中

  • Node.js 白板应用程序的客户端或服务器端 HTML5 画布渲染?

    我认为一个小白板 Web 应用程序将是提高我的 Node js 和 JavaScript 技能的好方法 我在网上看到了一些 这是有道理的 因为它似乎非常适合这种堆栈 然而 花点时间思考一下 我想知道客户端和服务器在这种 Web 应用程序中的

  • Typescript 和 React:在组件之间传递 props 与默认 props

    我对 Typescript 和使用 Typescript 创建 React 应用程序相当陌生 我在将道具从一个组件传递到另一个组件时遇到了一些麻烦 我在下面提供了一个示例 我的问题是围绕组件的默认道具 当我在父组件中调用子组件时 出现错误

  • 将 useRef 挂钩传递给 ref 属性的正确方法

    我不确定如何更明确地提出这个问题 但它是关于值传递 and 引用传递反应中的情况 还有胡克斯 我正在使用 gsap 来制作 div 滑入和滑出的动画 这是其上下文 但我猜测 ref 的用途并不重要 因此 这工作得很好 尽管这是一种更典型的类

  • 在 React 应用程序中简单连接到 mongodb

    我使用 create react app 创建了简单的反应应用程序 这个应用程序包含表单 验证和引导程序 没有什么花哨的东西能像魅力一样发挥作用 我还注册了 mongo 以获得免费集群 以便我可以发送一些数据 所以我有这个网址 mongod

  • EJS在JS onload函数中访问express变量

    我知道你可以像这样获取 ejs 文件中变量的值 h1 h1 如果我要在同一个 ejs 页面的 onload javascript 函数中使用相同的标题变量 我将如何使用它 例如 这个函数产生一个控制台错误说 未捕获的语法错误 意外的标识符

  • React router.push 和 router.replace 之间的区别?

    有什么区别React 路由器推送 and 路由器 替换 路由器历史记录就像一个stack of routes 当您使用router replace 您将覆盖堆栈的顶部 当使用router push 它在顶部添加了一条新路线stack 路由器

  • 删除 Laravel Mix 中的临时文件

    我想在 laravel mix 构建期间或之后删除临时构建文件 这是我目前拥有的一些代码 但是del不工作 const mix require laravel mix const del require del compile sass i

  • 如何修复nodejs Express服务器中的“MulterError:意外字段”?

    我正在设置一个服务器来从客户端上传 zip 文件 服务器运行express和multer来执行此操作 上传文件时 服务器抛出 MulterError 意外字段 错误 我无法弄清楚是什么导致了它 我尝试过使用 png 图像 效果很好 但对于

  • NodeJS:如何获取服务器的端口?

    您经常会看到 Node 的示例 hello world 代码 它创建一个 Http Server 开始侦听端口 然后执行以下操作 console log Server is listening on port 8000 但理想情况下你会想要

随机推荐

热门标签