NodeJS react-icons 4.4.0中的6个严重漏洞

cidc1ykv  于 2023-04-20  发布在  Node.js
关注(0)|答案(3)|浏览(307)
# npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

我正在使用npm 8.12.1和node 16.15.1。reacts icons刚刚发布了它的4.4.0,我试图安装并在此消息中结束。我尝试了npm审计修复--force。漏洞和严重性保持不变。我想听听你对此消息的看法。所以如果react-icons不安全,哪个包是图标的替代品?

unhi4e5o

unhi4e5o1#

Had a similar issue. This helped me understand.
https://github.com/facebook/create-react-app/issues/11174
Edit:
npm audit is broken for front-end tooling by design
More reading here: https://overreacted.io/npm-audit-broken-by-design/
Create React App is a build tool. In other words, it doesn't produce a running Node application. It runs at the build time during development, and produces static assets.
However, npm audit is designed for Node apps so it flags issues that can occur when you run actual Node code in production. That is categorically not how Create React App works.
This means that the overwhelming amount of "vulnerability" reports we receive for transitive dependencies are false positives. Despite literally a hundred issues with thousands of comments about npm audit warnings in react-scripts, throughout the years not a single one of them (to the best of our knowledge) has ever been a real vulnerability for CRA users.
If you'd like to still fix the warnings:
Open package.json. You will find this:
"dependencies": { "react": "^17.0.2", "react-dom": "^17.0.2", "react-scripts": "4.0.3" }
Take react-scripts and move it to devDependencies (if you don't have it, create it):
"dependencies": { "react": "^17.0.2", "react-dom": "^17.0.2" }, "devDependencies": { "react-scripts": "4.0.3" },
Then, ensure you run npm audit --production rather than npm audit .
This will fix your warnings.

20jt8wwn

20jt8wwn2#

不是所有的漏洞都是一样的。我有这个完全相同的错误,进一步的研究表明它很常见,在我的情况下,它可以被忽略(使用npm view nth-check version显示我有一个比错误建议更晚的版本,我不相信这个漏洞会带来安全问题)
也不要盲目使用npm audit fix --force。例如,在我的情况下,它会强制 nth-checkreact-scripts 版本降级,这会引入可能更糟糕的漏洞。
进一步的研究表明,没有0个漏洞是很正常的,每个漏洞都需要根据你正在构建的东西的优点来权衡,所以这可能是一个个人的研究决定。

nr7wwzry

nr7wwzry3#

“react”:“^18.2.0”,“react-dom”:“^18.2.0”,
},“devDependencies”:{“react-scripts”:“5.0.1”,
我用这种方式解决了冲突,更改为这些版本。

相关问题