这是我的第一个SO问题,对于冗长的代码,我们深表歉意。我正在尝试使用create-react-app开始一个新项目。我运行了以下命令:
npx create-react-app jam-box --use-npm
因为我想使用npm代替yarn,并且一切正常,所以创建了项目样板。但是存在一个带有react-scripts依赖项之一的安全漏洞:
[Angie @ ~/jam-box](master)
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > webpack-dev-server > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 922235 scanned packages
1 vulnerability requires manual review. See the full report for details.
[Angie @ ~/jam-box](master)
$
我尝试运行npm audit fix,但这没有用。我同时访问了webpack-dev-server github和create-react-app github,看起来他们已经在解决此安全问题,并且直到两天前,该问题已修复并合并到create-react-应用程式管理员。
在我的项目中运行npm i react-scripts@latest时:
[Angie @ ~/jam-box](master)
$ npm i react-scripts@latest
npm WARN deprecated [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
npm WARN [email protected] requires a peer of node-sass@^4.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of sass@^1.3.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of fibers@>= 3.1.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
+ [email protected]
updated 1 package and audited 922235 packages in 46.013s
2 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
我几天来一直遇到这个问题,并且在尝试创建一个新的create-react-app项目之前正在等待他们是否会解决它。但是今天,当我再次尝试运行npx create-react-app jam-box --use-npm时,安全漏洞仍然存在。我什至尝试运行npm install react-scripts@latest,该漏洞仍然存在。当我查看package-lock.json时,它说react-scripts仍在使用旧版本的webpack-dev-server,而不是最新的3.11.0版本。我不知道为什么当我运行npx create-react-app时,它没有反映出create-react-app的最新主分支。我只想运行create-react-app到最新版本,任何帮助将不胜感激。
npx create-react-app jam-box --use-npm
npx: installed 98 in 9.648s
Creating a new React app in /Users/Angie/jam-box.
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...
> [email protected] install /Users/Angie/jam-box/node_modules/jest-haste-map/node_modules/fsevents
> node install.js
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
SOLINK_MODULE(target) Release/fse.node
> [email protected] install /Users/Angie/jam-box/node_modules/watchpack/node_modules/fsevents
> node install.js
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
SOLINK_MODULE(target) Release/fse.node
> [email protected] install /Users/Angie/jam-box/node_modules/webpack-dev-server/node_modules/fsevents
> node install.js
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
SOLINK_MODULE(target) Release/fse.node
> [email protected] postinstall /Users/Angie/jam-box/node_modules/babel-runtime/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"
> [email protected] postinstall /Users/Angie/jam-box/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"
> [email protected] postinstall /Users/Angie/jam-box/node_modules/core-js-pure
> node -e "try{require('./postinstall')}catch(e){}"
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
added 1620 packages from 760 contributors and audited 922030 packages in 107.471s
59 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Initialized a git repository.
Installing template dependencies using npm...
npm WARN [email protected] requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
+ @testing-library/[email protected]
+ @testing-library/[email protected]
+ @testing-library/[email protected]
added 36 packages from 56 contributors and audited 922236 packages in 19.35s
59 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Removing template package using npm...
npm WARN [email protected] requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
removed 1 package and audited 922235 packages in 12.693s
59 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Created git commit.
Success! Created jam-box at /Users/Angie/jam-box
Inside that directory, you can run several commands:
npm start
Starts the development server.
npm run build
Bundles the app into static files for production.
npm test
Starts the test runner.
npm run eject
Removes this tool and copies build dependencies, configuration files
and scripts into the app directory. If you do this, you can’t go back!
We suggest that you begin by typing:
cd jam-box
npm start
Happy hacking!
天使!我一直在寻找该漏洞,希望也能修复它!
我的理解是react-scripts尚未更新其依赖关系以指向webpack-dev-server 3.11.0。由于webpack-dev-server是react-scripts(由create-react-app使用)的依赖项,因此react-scripts需要在其代码库中对其进行更新。我们无法更改依赖关系。
如您所指出,webpack-dev-server更新了它们对yargs的依赖性,以处理“ yargs-parser(#2566)(41d1d0c)中的安全漏洞”(webpack-dev-server发行说明:https://github.com/webpack/webpack-dev-server/releases)。
但是react-scripts(由create-react-app https://github.com/facebook/create-react-app/tree/master/packages/react-scripts维护和使用)尚未更新其对webpack-dev-server的依赖以使用新的3.11.0版本。
我认为这可以引起他们的关注,要求他们更新对weback-dev-server的依赖性,以指向将解决安全漏洞的最新版本,但是我不确定这是如何做到的,老实说。
我希望这在某种程度上对您有帮助。