我已经在 Windows 上安装了 32 位的最新 LTS 版本:14.17.0(包括 npm 6.14.13)。 安装节点后,我使用
npm i create-react-app -g
全局安装了 create-react-app 模块
我已经成功安装了它们,没有任何错误。
但是,如果我尝试在终端上运行 npx create-react-app
在脚本中包含
"preinstall": "npx npm-force-resolutions"
并在我的 package.json 文件中包含 "resolutions": "^3.8.0"
后,漏洞得到修复。
但是,我每次创建新项目时都会这样做。
请建议我对此进行永久修复。
我还使用 npm 审核来包含漏洞
# npm audit report
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=2.0.0-next.03604a46
Depends on vulnerable versions of postcss-normalize
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
node_modules/react-scripts
postcss 7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
autoprefixer 9.0.0 - 9.8.6
Depends on vulnerable versions of postcss
node_modules/autoprefixer
css-blank-pseudo *
Depends on vulnerable versions of postcss
node_modules/css-blank-pseudo
postcss-preset-env >=6.0.0
Depends on vulnerable versions of css-blank-pseudo
Depends on vulnerable versions of css-prefers-color-scheme
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-color-gray
Depends on vulnerable versions of postcss-double-position-gradients
node_modules/postcss-preset-env
css-declaration-sorter 4.0.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/css-declaration-sorter
css-has-pseudo *
Depends on vulnerable versions of postcss
node_modules/css-has-pseudo
css-loader 2.0.0 - 4.3.0
Depends on vulnerable versions of postcss
node_modules/css-loader
css-prefers-color-scheme *
Depends on vulnerable versions of postcss
node_modules/css-prefers-color-scheme
cssnano 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
Depends on vulnerable versions of postcss
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.2 - 5.0.6
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin
cssnano-preset-default <=4.0.0-rc.2 || 4.0.1 - 4.0.8
Depends on vulnerable versions of cssnano-util-raw-cache
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-calc
node_modules/cssnano-preset-default
cssnano-util-raw-cache >=4.0.1
Depends on vulnerable versions of postcss
node_modules/cssnano-util-raw-cache
icss-utils 4.0.0 - 4.1.1
Depends on vulnerable versions of postcss
node_modules/icss-utils
postcss-modules-local-by-default 2.0.0 - 4.0.0-rc.4
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-local-by-default
postcss-modules-values 2.0.0 - 4.0.0-rc.5
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-values
postcss-attribute-case-insensitive 4.0.0 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-attribute-case-insensitive
postcss-browser-comments 2.0.0 - 3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-browser-comments
postcss-normalize 7.0.0 - 9.0.0
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-browser-comments
node_modules/postcss-normalize
react-scripts >=2.0.0-next.03604a46
Depends on vulnerable versions of postcss-normalize
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
node_modules/react-scripts
postcss-calc 6.0.2 - 7.0.5
Depends on vulnerable versions of postcss
node_modules/postcss-calc
postcss-color-functional-notation >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-functional-notation
postcss-color-gray >=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-gray
postcss-color-hex-alpha 4.0.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-hex-alpha
postcss-color-mod-function >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-mod-function
postcss-color-rebeccapurple >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-rebeccapurple
postcss-colormin 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-colormin
postcss-convert-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-convert-values
postcss-custom-media 7.0.0 - 7.0.8
Depends on vulnerable versions of postcss
node_modules/postcss-custom-media
postcss-custom-properties 8.0.0 - 10.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-custom-properties
postcss-custom-selectors 5.0.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-custom-selectors
postcss-dir-pseudo-class >=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-dir-pseudo-class
postcss-discard-comments 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-discard-comments
postcss-discard-duplicates 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-discard-duplicates
postcss-discard-empty 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-discard-empty
postcss-discard-overridden 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-discard-overridden
postcss-double-position-gradients *
Depends on vulnerable versions of postcss
node_modules/postcss-double-position-gradients
postcss-env-function >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-env-function
postcss-flexbugs-fixes 4.0.0 - 4.2.1
Depends on vulnerable versions of postcss
node_modules/postcss-flexbugs-fixes
postcss-focus-visible >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-visible
postcss-focus-within >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-within
postcss-font-variant 4.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-font-variant
postcss-gap-properties >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-gap-properties
postcss-image-set-function >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-image-set-function
postcss-initial 3.0.0 - 3.0.4
Depends on vulnerable versions of postcss
node_modules/postcss-initial
postcss-lab-function >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-lab-function
postcss-loader 3.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-loader
postcss-logical >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-logical
postcss-media-minmax 4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-media-minmax
postcss-merge-longhand 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
Depends on vulnerable versions of postcss
node_modules/postcss-merge-longhand
postcss-merge-rules 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-merge-rules
postcss-minify-font-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-font-values
postcss-minify-gradients 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-gradients
postcss-minify-params 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-params
postcss-minify-selectors 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-selectors
postcss-modules-extract-imports 2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-extract-imports
postcss-modules-scope 2.0.0 - 2.2.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-scope
postcss-nesting 7.0.0 - 7.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-nesting
postcss-normalize-charset 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-charset
postcss-normalize-display-values <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-display-values
postcss-normalize-positions <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-positions
postcss-normalize-repeat-style <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-repeat-style
postcss-normalize-string <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-string
postcss-normalize-timing-functions <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-timing-functions
postcss-normalize-unicode <=4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-unicode
postcss-normalize-url 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-url
postcss-normalize-whitespace <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-whitespace
postcss-ordered-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-ordered-values
postcss-overflow-shorthand >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-overflow-shorthand
postcss-page-break 2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-page-break
postcss-place >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-place
postcss-pseudo-class-any-link >=6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-pseudo-class-any-link
postcss-reduce-initial 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-initial
postcss-reduce-transforms 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-transforms
postcss-replace-overflow-wrap 3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-replace-overflow-wrap
postcss-selector-matches >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-selector-matches
postcss-selector-not 4.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-selector-not
postcss-svgo 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-svgo
postcss-unique-selectors 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-unique-selectors
resolve-url-loader 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
stylehacks 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/stylehacks
82 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force ```
在 CRA 团队更新
react-scripts
之前,我认为要使 npx npm-force-resolutions
正常工作,您可能需要编辑 package.json
并在根目录添加 "resolutions"
部分。在本节中,您可以尝试指定问题包的版本更新。因此,对于您的 postcss
来说,它将如下所示(将版本更改为 npm audit
建议修复的版本):
"resolutions": {
"postcss": "7.0.36",
"glob-parent": "^5.1.2",
"css-what": "^5.0.1",
"normalize-url": "^4.5.1"
}
上面的配置似乎是我解决我的 CRA 项目的方式,该项目报告了 8 个漏洞,其中 4 个中度漏洞和 4 个高漏洞,直至 1 个中度漏洞(涉及
browserslist
包)。 postcss
的 7.0.36 版本是最新版本 7 postcss
,已从 postcss
版本 8 向后移植了 ReDoS 修复。我尝试在分辨率中将 postcss
更新为 8,但它会导致其他问题,我猜测,与 WebPack 中使用的 postcss
插件的重大更改有关。我是一名网络开发新手,所以我在这里猜测。最后,我似乎无法更新 browserlist
,而不会在执行 npm start
时导致运行时出现“浏览器列表模块未找到”错误。
这是我的终端输出,一切就绪并正在运行
npm i
npm i
> [email protected] preinstall F:\01-Projects\testpostcss
> npx npm-force-resolutions
npx: installed 6 in 1.566s
npm WARN @babel/[email protected] requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\watchpack-chokidar2\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\webpack-dev-server\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
audited 2422 packages in 17.483s
141 packages are looking for funding
run `npm fund` for details
found 1 moderate severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
seefe testpostcss master ≢ ~2 14.17.1 ﮫ 18.808s
npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular Expression Denial of Service
Package browserslist
Patched in >=4.16.5
Dependency of react-scripts
Path react-scripts > react-dev-utils > browserslist
More info https://npmjs.com/advisories/1747
found 1 moderate severity vulnerability in 2422 scanned packages
1 vulnerability requires manual review. See the full report for details.
seefe testpostcss master ≢ ~2 14.17.1 ﮫ 2.442s
我多次遇到这个恼人的错误,这就是我修复错误的方法,
第一次运行
npm audit
然后大多数时候它会问我:npm ERR!审核 尝试先使用以下命令创建一个: npm i --package-lock-only
然后我输入
npm i --package-lock-only
大多数情况下它都有效,不会再出现漏洞。
发生错误,但我不知道真正原因是什么。 我提供的解决方案对我有用,并且没有更多漏洞。
这是显示错误发生的图像 [1]:https://i.sstatic.net/JMED4.jpg
这是显示我使用的解决方案的图像。 [2]:https://i.sstatic.net/DQFUV.jpg
暂时(希望)解决此问题的一个粗略方法是将其添加到依赖项和分辨率中。
将其添加到分辨率中将完全停止安装react-scripts的依赖项(故意导致模块未找到错误)。
将其添加到依赖项将安装更新的版本。
然后它会找到并使用已安装的依赖项(更新版本)作为构建时react-scripts的依赖项。
"dependencies": {
"browserslist": "^4.16.5",
}
"resolutions": {
"browserslist": "4.16.5"
}
Postcss 的降级只是由 4 个漏洞 76 造成的... 我什至降级了所有其他使用 postcss 的依赖项。 徒劳地看起来比以前更严重了。我重做了所有...