# npm audit report
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
我正在使用npm 8.12.1和node 16.15.1。reacts icons刚刚发布了它的4.4.0,我试图安装并在此消息中结束。我尝试了npm审计修复--force。漏洞和严重性保持不变。我想听听你对此消息的看法。所以如果react-icons不安全,哪个包是图标的替代品?
3条答案
按热度按时间unhi4e5o1#
Had a similar issue. This helped me understand.
https://github.com/facebook/create-react-app/issues/11174
Edit:
npm audit is broken for front-end tooling by design
More reading here: https://overreacted.io/npm-audit-broken-by-design/
Create React App is a build tool. In other words, it doesn't produce a running Node application. It runs at the build time during development, and produces static assets.
However, npm audit is designed for Node apps so it flags issues that can occur when you run actual Node code in production. That is categorically not how Create React App works.
This means that the overwhelming amount of "vulnerability" reports we receive for transitive dependencies are false positives. Despite literally a hundred issues with thousands of comments about npm audit warnings in react-scripts, throughout the years not a single one of them (to the best of our knowledge) has ever been a real vulnerability for CRA users.
If you'd like to still fix the warnings:
Open package.json. You will find this:
"dependencies": { "react": "^17.0.2", "react-dom": "^17.0.2", "react-scripts": "4.0.3" }
Take react-scripts and move it to devDependencies (if you don't have it, create it):
"dependencies": { "react": "^17.0.2", "react-dom": "^17.0.2" }, "devDependencies": { "react-scripts": "4.0.3" },
Then, ensure you run
npm audit --production
rather thannpm audit
.This will fix your warnings.
20jt8wwn2#
不是所有的漏洞都是一样的。我有这个完全相同的错误,进一步的研究表明它很常见,在我的情况下,它可以被忽略(使用
npm view nth-check version
显示我有一个比错误建议更晚的版本,我不相信这个漏洞会带来安全问题)也不要盲目使用
npm audit fix --force
。例如,在我的情况下,它会强制 nth-check 和 react-scripts 版本降级,这会引入可能更糟糕的漏洞。进一步的研究表明,没有0个漏洞是很正常的,每个漏洞都需要根据你正在构建的东西的优点来权衡,所以这可能是一个个人的研究决定。
nr7wwzry3#
“react”:“^18.2.0”,“react-dom”:“^18.2.0”,
},“devDependencies”:{“react-scripts”:“5.0.1”,
我用这种方式解决了冲突,更改为这些版本。