我用npx create-react-app myapp创建了一个react应用程序,但却充满了漏洞。我遵循了这个github问题中的说明,并将包移动到我的package.json文件中的devDependencies;脆弱性";只存在于我的本地dev笔记本电脑上。然而,当我按照建议运行npm audit --production时,我仍然会看到关于漏洞的大量警告。我忘了做什么了吗?这是我的package.json文件。
{
"name": "myapp",
"version": "0.1.0",
"private": true,
"dependencies": {
"@testing-library/jest-dom": "^5.15.0",
"@testing-library/react": "^11.2.7",
"@testing-library/user-event": "^12.8.3",
"react": "^17.0.2",
"react-dom": "^17.0.2",
"web-vitals": "^1.1.2"
},
"devDependencies": {
"react-scripts": "4.0.3"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"eslintConfig": {
"extends": [
"react-app",
"react-app/jest"
]
},
"browserslist": {
"production": [
">0.2%",
"not dead",
"not op_mini all"
],
"development": [
"last 1 chrome version",
"last 1 firefox version",
"last 1 safari version"
]
}
}
这些是我看到的react-scripts的漏洞
tpulliam@lappy:~/Desktop/code/myapp (master) $ npm audit --production
# npm audit report
ansi-html *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@0.9.5, which is a breaking change
node_modules/ansi-html
@pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of webpack-dev-server
node_modules/@pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of babel-jest
...
...
所以我实际上解决了我的问题。我所做的只是
修改package.json文件后的rm -fr node_modules/ package-lock.json && npm install。
之后,npm audit --production显示0个漏洞。