linux NPM漏洞无法修复

7cjasjjr  于 2023-08-03  发布在  Linux
关注(0)|答案(2)|浏览(98)

I started learning react and created my first app by running:
'npx create-react-app my-app'
After the app was built I got a warning in the terminal that says:
22 vulnerabilities (9 moderate, 13 high)
I tried to fix it by running:
'npm audit fix'
But it returned this:
npm ERR! code ERESOLVE npm ERR! ERESOLVE unable to resolve dependency tree npm ERR! npm ERR! Found: type-fest@0.21.3 npm ERR! node_modules/type-fest npm ERR! type-fest@"^0.21.3" from ansi-escapes@4.3.2 npm ERR! node_modules/ansi-escapes npm ERR! ansi-escapes@"^4.2.1" from @jest/core@26.6.3 npm ERR! node_modules/@jest/core npm ERR! @jest/core@"^26.6.0" from jest@26.6.0 npm ERR! node_modules/jest npm ERR! peer jest@"^26.0.0" from jest-watch-typeahead@0.6.1 npm ERR! node_modules/jest-watch-typeahead npm ERR! 1 more (react-scripts) npm ERR! 1 more (jest-cli) npm ERR! ansi-escapes@"^4.3.1" from jest-watch-typeahead@0.6.1 npm ERR! node_modules/jest-watch-typeahead npm ERR! jest-watch-typeahead@"0.6.1" from react-scripts@4.0.3 npm ERR! node_modules/react-scripts npm ERR! react-scripts@"4.0.3" from the root project npm ERR! 2 more (jest-watcher, terminal-link) npm ERR! npm ERR! Could not resolve dependency: npm ERR! peerOptional type-fest@"^0.13.1" from @pmmmwh/react-refresh-webpack-plugin@0.4.3 npm ERR! node_modules/@pmmmwh/react-refresh-webpack-plugin npm ERR! @pmmmwh/react-refresh-webpack-plugin@"0.4.3" from react-scripts@4.0.3 npm ERR! node_modules/react-scripts npm ERR! react-scripts@"4.0.3" from the root project npm ERR! npm ERR! Fix the upstream dependency conflict, or retry npm ERR! this command with --force, or --legacy-peer-deps npm ERR! to accept an incorrect (and potentially broken) dependency resolution. npm ERR! npm ERR! See /home/azizdragon/.npm/eresolve-report.txt for a full report.
npm ERR! A complete log of this run can be found in: npm ERR!
/home/azizdragon/.npm/_logs/2021-06-23T03_09_31_663Z-debug.log
I tried deleting the package-lock.json file and node_modules folder and run:
npm install
But it resulted in the same vulnerabilities, here is the report when I run "npm audit":
browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service - https://npmjs.com/advisories/1747 fix available via npm audit fix --force Will install react-scripts@1.1.5, which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils >=6.0.0-next.03604a46 Depends on vulnerable versions of browserslist node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts
css-what <5.0.1 Severity: high Denial of Service - https://npmjs.com/advisories/1754 fix available via npm audit fix --force Will install react-scripts@1.1.5, which is a breaking change node_modules/svgo/node_modules/css-what css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/svgo/node_modules/css-select svgo >=1.0.0 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo * Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack >=4.0.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-svgo >=4.0.0-nightly.2020.1.9 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.4 || 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin
glob-parent <5.1.2 Severity: moderate Regular expression denial of service - https://npmjs.com/advisories/1751 fix available via npm audit fix --force Will install react-scripts@1.1.5, which is a breaking change node_modules/watchpack-chokidar2/node_modules/glob-parent node_modules/webpack-dev-server/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar

node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 3.11.2 Depends on vulnerable versions of chokidar node_modules/webpack-dev-server @pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4 Depends on vulnerable versions of webpack-dev-server node_modules/@pmmmwh/react-refresh-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts
normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/1755 fix available via npm audit fix --force Will install react-scripts@1.1.5, which is a breaking change node_modules/normalize-url node_modules/postcss-normalize-url/node_modules/normalize-url
mini-css-extract-plugin 0.6.0 - 1.0.0 Depends on vulnerable versions of normalize-url node_modules/mini-css-extract-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-normalize-url <=4.0.1 Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.4 || 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin
22 vulnerabilities (9 moderate, 13 high)
To address issues that do not require attention, run: npm audit fix
To address all issues (including breaking changes), run: npm audit fix --force
Should I use npm audit fix --force? If it helps, I run Linux Mint 18.3 Cinnamon 64-bit Node version: v16.0.0 NPM version: 7.18.1
Thanks in advance.

1yjd4xko

1yjd4xko1#

正如Matthew Daly在Dan Abramov的这篇博客文章npm audit: Broken by Design之后的评论中提到的,* 大多数或可能所有的警告都与开发依赖项有关,因此它们不会影响您的生产构建 *,您根本不需要担心修复它们。
这并不意味着开发依赖项的漏洞在任何情况下、任何包和任何版本中都是无害的。
根据我的经验,大多数情况下,使用npm audit无法解决所有问题,而且几乎总是使用npm audit --force会使情况变得更糟,并破坏您的应用程序。
因此,当我安装一个流行的、高度维护的软件包(如create-react-app)的最新版本时,我会忽略这些警告。
当然,像CRA这样的库的维护者都知道这些警告,如果它们很严重,他们会立即修复它们。
确保这些警告无害的另一种方法是检查reported issues of the create-react-app或任何其他库,看看响应是什么。
我强烈推荐你阅读上面提到的文章,npm audit: Broken by Design

esbemjvw

esbemjvw2#

我很确定CRA不再维护。如果应用程序是纯前端的,Vite是一个很好的选择。
https://medium.com/@dawid.niegrebecki/create-react-app-is-dead-what-to-use-instead-fcdd46b70295

相关问题