Npm 审计修复 --force react 脚本自动降级 [英] Npm audit fix --force react script downgrade automatically
问题描述
我的项目在反应中遇到了大问题.我正在尝试更新我的项目中的库,但似乎发生了一些错误.
i have a huge problem with my project in react. I'm trying to update the libraries on my project but seems something wrong happens.
这是 package.json
This is the package.json
{
"name": "server",
"version": "1.1.0",
"description": "",
"main": "index.js",
"engines": {
"node": "v14.16.0",
"npm": ">=7.6.0"
},
"scripts": {
"start": "node index.js",
"server": "nodemon index.js",
"client": "npm run start --prefix client",
"dev": "concurrently "npm run server" "npm run client"",
"heroku-postbuild": "NPM_CONFIG_PRODUCTION=false npm install --prefix client && npm run build --prefix client"
},
"author": "",
"license": "ISC",
"dependencies": {
"body-parser": "^1.19.0",
"concurrently": "^5.3.0",
"cookie-parser": "^1.4.5",
"cookie-session": "^1.4.0",
"cors": "^2.8.5",
"express": "^4.17.1",
"express-socket.io-session": "^1.3.5",
"heroku-ssl-redirect": "0.0.4",
"lodash": "^4.17.21",
"moment": "^2.29.1",
"moment-timezone": "^0.5.33",
"mongodb": "^3.6.4",
"mongoose": "^5.11.17",
"nodemailer": "^6.4.18",
"nodemon": "^2.0.7",
"passport": "^0.4.1",
"passport-google-oauth20": "^2.0.0",
"path-parser": "^6.1.0",
"react-scripts": "^4.0.3",
"sendgrid": "^5.2.3",
"socket.io": "^3.1.1",
"stripe": "^8.137.0"
}
}
这是将 react-scripts 包降级到 1.1.5 的漏洞,这会导致更多漏洞.我不知道如何解决它.我已经清理 npm 缓存,删除节点 _module 文件夹并删除 package-lock.json
And this is the vulnerabilities downgrade the react-scripts package to 1.1.5 and this cause more vulnerabilities. And i have no idea how to solve it. I already clean the npm cache, remove the node _module folder and remove the package-lock.json
# npm audit report
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts 1.0.7-alpha.60ae2b6d || >=1.0.8
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
dns-packet <5.2.2
Severity: high
Memory Exposure - https://npmjs.com/advisories/1745
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/dns-packet
multicast-dns 6.0.0 - 7.2.2
Depends on vulnerable versions of dns-packet
node_modules/multicast-dns
bonjour >=3.3.1
Depends on vulnerable versions of multicast-dns
node_modules/bonjour
webpack-dev-server >=2.5.0
Depends on vulnerable versions of bonjour
node_modules/webpack-dev-server
@pmmmwh/react-refresh-webpack-plugin >=0.3.1
Depends on vulnerable versions of webpack-dev-server
node_modules/@pmmmwh/react-refresh-webpack-plugin
react-scripts 1.0.7-alpha.60ae2b6d || >=1.0.8
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss 7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
autoprefixer 9.0.0 - 9.8.6
Depends on vulnerable versions of postcss
node_modules/autoprefixer
css-blank-pseudo *
Depends on vulnerable versions of postcss
node_modules/css-blank-pseudo
postcss-preset-env >=6.0.0
Depends on vulnerable versions of css-blank-pseudo
Depends on vulnerable versions of css-prefers-color-scheme
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-color-gray
Depends on vulnerable versions of postcss-double-position-gradients
node_modules/postcss-preset-env
css-declaration-sorter 4.0.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/css-declaration-sorter
css-has-pseudo *
Depends on vulnerable versions of postcss
node_modules/css-has-pseudo
css-loader 2.0.0 - 4.3.0
Depends on vulnerable versions of postcss
node_modules/css-loader
react-scripts 1.0.7-alpha.60ae2b6d || >=1.0.8
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
css-prefers-color-scheme *
Depends on vulnerable versions of postcss
node_modules/css-prefers-color-scheme
cssnano 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
Depends on vulnerable versions of postcss
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.2 - 5.0.6
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin
cssnano-preset-default <=4.0.0-rc.2 || 4.0.1 - 4.0.8
Depends on vulnerable versions of cssnano-util-raw-cache
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-reduce-initial
node_modules/cssnano-preset-default
cssnano-util-raw-cache >=4.0.1
Depends on vulnerable versions of postcss
node_modules/cssnano-util-raw-cache
icss-utils 4.0.0 - 4.1.1
Depends on vulnerable versions of postcss
node_modules/icss-utils
postcss-modules-local-by-default 2.0.0 - 4.0.0-rc.4
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-local-by-default
postcss-modules-values 2.0.0 - 4.0.0-rc.5
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-values
postcss-attribute-case-insensitive 4.0.0 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-attribute-case-insensitive
postcss-browser-comments 2.0.0 - 3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-browser-comments
postcss-normalize 7.0.0 - 9.0.0
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-browser-comments
node_modules/postcss-normalize
postcss-calc 6.0.2 - 7.0.5
Depends on vulnerable versions of postcss
node_modules/postcss-calc
postcss-color-functional-notation >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-functional-notation
postcss-color-gray >=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-gray
postcss-color-hex-alpha 4.0.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-hex-alpha
postcss-color-mod-function >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-mod-function
postcss-color-rebeccapurple >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-rebeccapurple
postcss-colormin 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-colormin
postcss-convert-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-convert-values
postcss-custom-media 7.0.0 - 7.0.8
Depends on vulnerable versions of postcss
node_modules/postcss-custom-media
postcss-custom-properties 8.0.0 - 10.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-custom-properties
postcss-custom-selectors 5.0.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-custom-selectors
postcss-dir-pseudo-class >=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-dir-pseudo-class
postcss-discard-comments 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-discard-comments
postcss-discard-duplicates 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-discard-duplicates
postcss-discard-empty 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-discard-empty
postcss-discard-overridden 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-discard-overridden
postcss-double-position-gradients *
Depends on vulnerable versions of postcss
node_modules/postcss-double-position-gradients
postcss-env-function >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-env-function
postcss-flexbugs-fixes 4.0.0 - 4.2.1
Depends on vulnerable versions of postcss
node_modules/postcss-flexbugs-fixes
postcss-focus-visible >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-visible
postcss-focus-within >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-within
postcss-font-variant 4.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-font-variant
postcss-gap-properties >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-gap-properties
postcss-image-set-function >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-image-set-function
postcss-initial 3.0.0 - 3.0.4
Depends on vulnerable versions of postcss
node_modules/postcss-initial
postcss-lab-function >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-lab-function
postcss-loader 3.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-loader
postcss-logical >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-logical
postcss-media-minmax 4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-media-minmax
postcss-merge-longhand 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
Depends on vulnerable versions of postcss
node_modules/postcss-merge-longhand
postcss-merge-rules 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-merge-rules
postcss-minify-font-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-font-values
postcss-minify-gradients 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-gradients
postcss-minify-params 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-params
postcss-minify-selectors 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-selectors
postcss-modules-extract-imports 2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-extract-imports
postcss-modules-scope 2.0.0 - 2.2.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-scope
postcss-nesting 7.0.0 - 7.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-nesting
postcss-normalize-charset 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-charset
postcss-normalize-display-values <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-display-values
postcss-normalize-positions <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-positions
postcss-normalize-repeat-style <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-repeat-style
postcss-normalize-string <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-string
postcss-normalize-timing-functions <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-timing-functions
postcss-normalize-unicode <=4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-unicode
postcss-normalize-url 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-url
postcss-normalize-whitespace <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-whitespace
postcss-ordered-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-ordered-values
postcss-overflow-shorthand >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-overflow-shorthand
postcss-page-break 2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-page-break
postcss-place >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-place
postcss-pseudo-class-any-link >=6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-pseudo-class-any-link
postcss-reduce-initial 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-initial
postcss-reduce-transforms 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-transforms
postcss-replace-overflow-wrap 3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-replace-overflow-wrap
postcss-selector-matches >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-selector-matches
postcss-selector-not 4.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-selector-not
postcss-svgo 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-svgo
postcss-unique-selectors 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-unique-selectors
resolve-url-loader 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
stylehacks 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/stylehacks
87 vulnerabilities (81 moderate, 6 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
推荐答案
现在,一些开发人员在更新项目时慢慢地遇到了这个希望是暂时的问题.
A few developers are now slowly getting this hopefully temporary problem when they update their projects.
例如:https://github.com/facebook/create-react-app/issues/11012
建议将此留在待办事项列表中,并等待几天包开发人员修复此问题(至少对于已经通知的包)
Recommendation is to leave this on the todo list, and wait a few days while the package developers fix this (at least for the packages that already have been notified)
然后再次运行audit fix
与此同时,一个错误,特别是高"严重性一...
In the meantime, one error in particular the 'high' severity one...
dns-packet <5.2.2
Severity: high
Memory Exposure - https://npmjs.com/advisories/1745
https://npmjs.com/advisories/1745
如果反应应用程序在公共网络上以开发模式运行,则会出现问题,例如在 heroku 上通过 npm run start
在开发模式下运行服务器到全世界(一个坏主意,考虑搜索如何在生产模式下在 react 应用程序中部署,有几种方法).
Would be an problem if the react-application is running in dev mode on a public network e.g. running a server in dev mode on heroku via npm run start
to the whole world (a BAD idea, consider searching how to deploy in react application in production mode, there are a few methods).
如果你是@home,在本地网络上,你应该没问题.
If you are @home, on a local network, you should be ok.
如果您使用的是公共 wifi - 暂时不要使用
If you are on public wifi - just don't for now
这篇关于Npm 审计修复 --force react 脚本自动降级的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!