运行 npx create-react-app 后发现中等严重性漏洞 [英] Moderate severity vulnerabilities found after running npx create-react-app
问题描述
我已在 Windows 上安装了 32 位的最新 LTS 版本:14.17.0(包括 npm 6.14.13).节点安装后,我使用 npm i create-react-app -g
I have installed the latest LTS Version: 14.17.0 (includes npm 6.14.13) of 32-bit on Windows.
After the node installation, I've installed create-react-app module globally using npm i create-react-app -g
我已经成功安装了它们,没有任何错误.但是,如果我尝试运行 npx create-react-app <project-name>在我的终端上,我收到了 82 个中等严重性的 browserslist 和 postcss 依赖项漏洞,内容为 正则表达式拒绝服务我也尝试过使用旧版本的节点,但漏洞仍然相同.
I've installed both of them successfully without any errors. But, if I try to run npx create-react-app <project-name> on my terminal, I get 82 moderate severity vulnerabilities of browserslist and postcss dependencies saying Regular Expression Denial of Service I've also tried using the older versions of node but, the vulnerabilities are still the same.
在脚本中包含preinstall":npx npm-force-resolutions"
和resolutions":^3.8.0"<后,漏洞得到修复/code> 在我的 package.json 文件中.但是,我每次创建新项目时都会这样做.
The vulnerabilities gets fixed after including "preinstall": "npx npm-force-resolutions"
in the scripts and "resolutions": "^3.8.0"
in my package.json file.
But, I would to do this every time I create a new project.
请建议我对此进行永久修复.
Please suggest me a permanent fix to this.
我还包括使用 npm 审计的漏洞
I am also including the vulnerabilities using npm audit
# npm audit report
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=2.0.0-next.03604a46
Depends on vulnerable versions of postcss-normalize
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
node_modules/react-scripts
postcss 7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
autoprefixer 9.0.0 - 9.8.6
Depends on vulnerable versions of postcss
node_modules/autoprefixer
css-blank-pseudo *
Depends on vulnerable versions of postcss
node_modules/css-blank-pseudo
postcss-preset-env >=6.0.0
Depends on vulnerable versions of css-blank-pseudo
Depends on vulnerable versions of css-prefers-color-scheme
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-color-gray
Depends on vulnerable versions of postcss-double-position-gradients
node_modules/postcss-preset-env
css-declaration-sorter 4.0.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/css-declaration-sorter
css-has-pseudo *
Depends on vulnerable versions of postcss
node_modules/css-has-pseudo
css-loader 2.0.0 - 4.3.0
Depends on vulnerable versions of postcss
node_modules/css-loader
css-prefers-color-scheme *
Depends on vulnerable versions of postcss
node_modules/css-prefers-color-scheme
cssnano 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
Depends on vulnerable versions of postcss
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.2 - 5.0.6
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin
cssnano-preset-default <=4.0.0-rc.2 || 4.0.1 - 4.0.8
Depends on vulnerable versions of cssnano-util-raw-cache
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-calc
node_modules/cssnano-preset-default
cssnano-util-raw-cache >=4.0.1
Depends on vulnerable versions of postcss
node_modules/cssnano-util-raw-cache
icss-utils 4.0.0 - 4.1.1
Depends on vulnerable versions of postcss
node_modules/icss-utils
postcss-modules-local-by-default 2.0.0 - 4.0.0-rc.4
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-local-by-default
postcss-modules-values 2.0.0 - 4.0.0-rc.5
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-values
postcss-attribute-case-insensitive 4.0.0 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-attribute-case-insensitive
postcss-browser-comments 2.0.0 - 3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-browser-comments
postcss-normalize 7.0.0 - 9.0.0
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-browser-comments
node_modules/postcss-normalize
react-scripts >=2.0.0-next.03604a46
Depends on vulnerable versions of postcss-normalize
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
node_modules/react-scripts
postcss-calc 6.0.2 - 7.0.5
Depends on vulnerable versions of postcss
node_modules/postcss-calc
postcss-color-functional-notation >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-functional-notation
postcss-color-gray >=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-gray
postcss-color-hex-alpha 4.0.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-hex-alpha
postcss-color-mod-function >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-mod-function
postcss-color-rebeccapurple >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-rebeccapurple
postcss-colormin 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-colormin
postcss-convert-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-convert-values
postcss-custom-media 7.0.0 - 7.0.8
Depends on vulnerable versions of postcss
node_modules/postcss-custom-media
postcss-custom-properties 8.0.0 - 10.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-custom-properties
postcss-custom-selectors 5.0.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-custom-selectors
postcss-dir-pseudo-class >=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-dir-pseudo-class
postcss-discard-comments 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-discard-comments
postcss-discard-duplicates 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-discard-duplicates
postcss-discard-empty 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-discard-empty
postcss-discard-overridden 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-discard-overridden
postcss-double-position-gradients *
Depends on vulnerable versions of postcss
node_modules/postcss-double-position-gradients
postcss-env-function >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-env-function
postcss-flexbugs-fixes 4.0.0 - 4.2.1
Depends on vulnerable versions of postcss
node_modules/postcss-flexbugs-fixes
postcss-focus-visible >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-visible
postcss-focus-within >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-within
postcss-font-variant 4.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-font-variant
postcss-gap-properties >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-gap-properties
postcss-image-set-function >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-image-set-function
postcss-initial 3.0.0 - 3.0.4
Depends on vulnerable versions of postcss
node_modules/postcss-initial
postcss-lab-function >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-lab-function
postcss-loader 3.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-loader
postcss-logical >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-logical
postcss-media-minmax 4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-media-minmax
postcss-merge-longhand 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
Depends on vulnerable versions of postcss
node_modules/postcss-merge-longhand
postcss-merge-rules 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-merge-rules
postcss-minify-font-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-font-values
postcss-minify-gradients 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-gradients
postcss-minify-params 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-params
postcss-minify-selectors 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-selectors
postcss-modules-extract-imports 2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-extract-imports
postcss-modules-scope 2.0.0 - 2.2.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-scope
postcss-nesting 7.0.0 - 7.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-nesting
postcss-normalize-charset 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-charset
postcss-normalize-display-values <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-display-values
postcss-normalize-positions <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-positions
postcss-normalize-repeat-style <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-repeat-style
postcss-normalize-string <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-string
postcss-normalize-timing-functions <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-timing-functions
postcss-normalize-unicode <=4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-unicode
postcss-normalize-url 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-url
postcss-normalize-whitespace <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-whitespace
postcss-ordered-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-ordered-values
postcss-overflow-shorthand >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-overflow-shorthand
postcss-page-break 2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-page-break
postcss-place >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-place
postcss-pseudo-class-any-link >=6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-pseudo-class-any-link
postcss-reduce-initial 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-initial
postcss-reduce-transforms 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-transforms
postcss-replace-overflow-wrap 3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-replace-overflow-wrap
postcss-selector-matches >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-selector-matches
postcss-selector-not 4.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-selector-not
postcss-svgo 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-svgo
postcss-unique-selectors 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-unique-selectors
resolve-url-loader 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
stylehacks 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/stylehacks
82 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force ```
推荐答案
直到 react-scripts
被 CRA 团队更新,我认为 npx npm-force-resolutions
要工作,您可能需要编辑 package.json
并在根目录添加 resolutions"
部分.在此部分中,您可以尝试为问题包指定版本更新.因此,对于您的 postcss
,它将如下所示(将版本更改为 npm audit
建议的修复版本):
Until react-scripts
is updated by the CRA team I think for npx npm-force-resolutions
to work you might need to edit your package.json
and add a "resolutions"
section at the root. Inside this section you can then try specifying the version updates for the problem packages. So for your postcss
it would look like the following (changing the versions to those suggested as fixes by npm audit
):
"resolutions": {
"postcss": "7.0.36",
"glob-parent": "^5.1.2",
"css-what": "^5.0.1",
"normalize-url": "^4.5.1"
}
上面的配置是我似乎解决了我的 CRA 项目报告 8 个漏洞的方式,其中 4 个中等和 4 个高到一个与 browserslist
包有关的中等漏洞.postcss
的 7.0.36 版本是最新的 7 postcss
版本,它已经从 postcss
版本 8 向后移植了 ReDoS 修复.我尝试更新 postcss
到 8 的分辨率,但它会导致其他问题,我猜这与 WebPack 中使用的 postcss
插件的破坏性更改有关.我是网络开发新手,所以我在这里猜测.最后,我似乎无法更新 browserlist
,否则它会在执行 npm start
时在运行时导致未找到浏览器列表模块"错误.
The above config is how I seemed to have solved my CRA project reporting 8 vulnerabilities with 4 moderate and 4 High down to one moderate vulnerability regarding the browserslist
package. Version 7.0.36 of postcss
is the latest version 7 postcss
that has had the ReDoS fix backported from postcss
version 8. I tried updating postcss
to 8 in resolutions but it causes other issues which, I'm guessing, relate to breaking changes for postcss
plugins used in WebPack. I'm a web dev newcomer so I'm guessing here. Finally, I cannot seem to update browserlist
without it causing 'browserlist module not found' errors at runtime when executing npm start
.
这是我的终端输出,一切就绪并运行 npm i
Here's my terminal output with everything in place and running npm i
npm i
> testpostcss@0.1.0 preinstall F:\01-Projects\testpostcss
> npx npm-force-resolutions
npx: installed 6 in 1.566s
npm WARN @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.14.5 requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself.
npm WARN tsutils@3.21.0 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules\watchpack-chokidar2\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules\webpack-dev-server\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
audited 2422 packages in 17.483s
141 packages are looking for funding
run `npm fund` for details
found 1 moderate severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
seefe testpostcss master ≢ ~2 14.17.1 ﮫ 18.808s
npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular Expression Denial of Service
Package browserslist
Patched in >=4.16.5
Dependency of react-scripts
Path react-scripts > react-dev-utils > browserslist
More info https://npmjs.com/advisories/1747
found 1 moderate severity vulnerability in 2422 scanned packages
1 vulnerability requires manual review. See the full report for details.
seefe testpostcss master ≢ ~2 14.17.1 ﮫ 2.442s
这篇关于运行 npx create-react-app 后发现中等严重性漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!