#npm
Вопрос:
у меня огромная проблема с моим проектом в react. Я пытаюсь обновить библиотеки в своем проекте, но, похоже, происходит что-то не так.
Это пакет.json
{
"name": "server",
"version": "1.1.0",
"description": "",
"main": "index.js",
"engines": {
"node": "v14.16.0",
"npm": ">=7.6.0"
},
"scripts": {
"start": "node index.js",
"server": "nodemon index.js",
"client": "npm run start --prefix client",
"dev": "concurrently "npm run server" "npm run client"",
"heroku-postbuild": "NPM_CONFIG_PRODUCTION=false npm install --prefix client amp;amp; npm run build --prefix client"
},
"author": "",
"license": "ISC",
"dependencies": {
"body-parser": "^1.19.0",
"concurrently": "^5.3.0",
"cookie-parser": "^1.4.5",
"cookie-session": "^1.4.0",
"cors": "^2.8.5",
"express": "^4.17.1",
"express-socket.io-session": "^1.3.5",
"heroku-ssl-redirect": "0.0.4",
"lodash": "^4.17.21",
"moment": "^2.29.1",
"moment-timezone": "^0.5.33",
"mongodb": "^3.6.4",
"mongoose": "^5.11.17",
"nodemailer": "^6.4.18",
"nodemon": "^2.0.7",
"passport": "^0.4.1",
"passport-google-oauth20": "^2.0.0",
"path-parser": "^6.1.0",
"react-scripts": "^4.0.3",
"sendgrid": "^5.2.3",
"socket.io": "^3.1.1",
"stripe": "^8.137.0"
}
}
И это уязвимости, понижающие рейтинг пакета react-scripts до 1.1.5, и это вызывает еще больше уязвимостей. И я понятия не имею, как это решить. Я уже очистил кэш npm, удалил папку node _module и удалил блокировку пакетов.json
# npm audit report
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts 1.0.7-alpha.60ae2b6d || >=1.0.8
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
dns-packet <5.2.2
Severity: high
Memory Exposure - https://npmjs.com/advisories/1745
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/dns-packet
multicast-dns 6.0.0 - 7.2.2
Depends on vulnerable versions of dns-packet
node_modules/multicast-dns
bonjour >=3.3.1
Depends on vulnerable versions of multicast-dns
node_modules/bonjour
webpack-dev-server >=2.5.0
Depends on vulnerable versions of bonjour
node_modules/webpack-dev-server
@pmmmwh/react-refresh-webpack-plugin >=0.3.1
Depends on vulnerable versions of webpack-dev-server
node_modules/@pmmmwh/react-refresh-webpack-plugin
react-scripts 1.0.7-alpha.60ae2b6d || >=1.0.8
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss 7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
autoprefixer 9.0.0 - 9.8.6
Depends on vulnerable versions of postcss
node_modules/autoprefixer
css-blank-pseudo *
Depends on vulnerable versions of postcss
node_modules/css-blank-pseudo
postcss-preset-env >=6.0.0
Depends on vulnerable versions of css-blank-pseudo
Depends on vulnerable versions of css-prefers-color-scheme
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-color-gray
Depends on vulnerable versions of postcss-double-position-gradients
node_modules/postcss-preset-env
css-declaration-sorter 4.0.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/css-declaration-sorter
css-has-pseudo *
Depends on vulnerable versions of postcss
node_modules/css-has-pseudo
css-loader 2.0.0 - 4.3.0
Depends on vulnerable versions of postcss
node_modules/css-loader
react-scripts 1.0.7-alpha.60ae2b6d || >=1.0.8
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
css-prefers-color-scheme *
Depends on vulnerable versions of postcss
node_modules/css-prefers-color-scheme
cssnano 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
Depends on vulnerable versions of postcss
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.2 - 5.0.6
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin
cssnano-preset-default <=4.0.0-rc.2 || 4.0.1 - 4.0.8
Depends on vulnerable versions of cssnano-util-raw-cache
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-reduce-initial
node_modules/cssnano-preset-default
cssnano-util-raw-cache >=4.0.1
Depends on vulnerable versions of postcss
node_modules/cssnano-util-raw-cache
icss-utils 4.0.0 - 4.1.1
Depends on vulnerable versions of postcss
node_modules/icss-utils
postcss-modules-local-by-default 2.0.0 - 4.0.0-rc.4
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-local-by-default
postcss-modules-values 2.0.0 - 4.0.0-rc.5
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-values
postcss-attribute-case-insensitive 4.0.0 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-attribute-case-insensitive
postcss-browser-comments 2.0.0 - 3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-browser-comments
postcss-normalize 7.0.0 - 9.0.0
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-browser-comments
node_modules/postcss-normalize
postcss-calc 6.0.2 - 7.0.5
Depends on vulnerable versions of postcss
node_modules/postcss-calc
postcss-color-functional-notation >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-functional-notation
postcss-color-gray >=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-gray
postcss-color-hex-alpha 4.0.0 - 6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-hex-alpha
postcss-color-mod-function >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-mod-function
postcss-color-rebeccapurple >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-color-rebeccapurple
postcss-colormin 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-colormin
postcss-convert-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-convert-values
postcss-custom-media 7.0.0 - 7.0.8
Depends on vulnerable versions of postcss
node_modules/postcss-custom-media
postcss-custom-properties 8.0.0 - 10.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-custom-properties
postcss-custom-selectors 5.0.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-custom-selectors
postcss-dir-pseudo-class >=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-dir-pseudo-class
postcss-discard-comments 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-discard-comments
postcss-discard-duplicates 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-discard-duplicates
postcss-discard-empty 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-discard-empty
postcss-discard-overridden 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-discard-overridden
postcss-double-position-gradients *
Depends on vulnerable versions of postcss
node_modules/postcss-double-position-gradients
postcss-env-function >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-env-function
postcss-flexbugs-fixes 4.0.0 - 4.2.1
Depends on vulnerable versions of postcss
node_modules/postcss-flexbugs-fixes
postcss-focus-visible >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-visible
postcss-focus-within >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-focus-within
postcss-font-variant 4.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-font-variant
postcss-gap-properties >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-gap-properties
postcss-image-set-function >=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-image-set-function
postcss-initial 3.0.0 - 3.0.4
Depends on vulnerable versions of postcss
node_modules/postcss-initial
postcss-lab-function >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-lab-function
postcss-loader 3.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-loader
postcss-logical >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-logical
postcss-media-minmax 4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-media-minmax
postcss-merge-longhand 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
Depends on vulnerable versions of postcss
node_modules/postcss-merge-longhand
postcss-merge-rules 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-merge-rules
postcss-minify-font-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-font-values
postcss-minify-gradients 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-gradients
postcss-minify-params 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-params
postcss-minify-selectors 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-selectors
postcss-modules-extract-imports 2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-extract-imports
postcss-modules-scope 2.0.0 - 2.2.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-scope
postcss-nesting 7.0.0 - 7.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-nesting
postcss-normalize-charset 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-charset
postcss-normalize-display-values <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-display-values
postcss-normalize-positions <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-positions
postcss-normalize-repeat-style <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-repeat-style
postcss-normalize-string <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-string
postcss-normalize-timing-functions <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-timing-functions
postcss-normalize-unicode <=4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-unicode
postcss-normalize-url 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-url
postcss-normalize-whitespace <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-whitespace
postcss-ordered-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-ordered-values
postcss-overflow-shorthand >=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-overflow-shorthand
postcss-page-break 2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-page-break
postcss-place >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-place
postcss-pseudo-class-any-link >=6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-pseudo-class-any-link
postcss-reduce-initial 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-initial
postcss-reduce-transforms 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-transforms
postcss-replace-overflow-wrap 3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-replace-overflow-wrap
postcss-selector-matches >=4.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-selector-matches
postcss-selector-not 4.0.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-selector-not
postcss-svgo 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-svgo
postcss-unique-selectors 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-unique-selectors
resolve-url-loader 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
stylehacks 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/stylehacks
87 vulnerabilities (81 moderate, 6 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Комментарии:
1. Частичная причина: Похоже, проблема со сценариями реагирования (требуется обновить dns-пакет), которая в настоящее время рассматривается здесь: github.com/facebook/create-react-app/issues/11012
Ответ №1:
Один из сопровождающих приложений create-react объявил, что они не могут исправить это, поскольку уязвимости влияют на переходные зависимости, и что это не должно иметь значения.
Причина в том, что npm audit функция была создана с учетом приложений узлов, а не инструментов сборки. Уязвимости в зависимостях не должны (в большинстве случаев) приводить к уязвимостям в статическом веб-приложении, создаваемом create-react-app.
Возможным обходным путем является переход react-scripts к devDependencies разделу в вашем package.json и использование npm audit --production для аудита ваших зависимостей.
Источник: https://github.com/facebook/create-react-app/issues/11174
Комментарии:
1. Это хороший обходной путь .. за исключением того, что мне нужно
react-scriptsсобрать, поэтому он должен быть установлен в рабочей среде, например, на Heroku.
Ответ №2:
Несколько разработчиков теперь медленно сталкиваются с этой, надеюсь, временной проблемой, когда они обновляют свои проекты.
Например: https://github.com/facebook/create-react-app/issues/11012
Рекомендуется оставить это в списке задач и подождать несколько дней, пока разработчики пакетов исправят это (по крайней мере, для пакетов, которые уже были уведомлены).
Затем audit fix снова беги
В то же время, одна ошибка, в частности, «высокой» серьезности…
dns-packet <5.2.2
Severity: high
Memory Exposure - https://npmjs.com/advisories/1745
https://npmjs.com/advisories/1745
Будет проблемой, если приложение react работает в режиме разработки в общедоступной сети, например, запуск сервера в режиме разработки на heroku через npm run start весь мир (плохая идея, подумайте о поиске способа развертывания в приложении react в рабочем режиме, есть несколько методов).
Если вы находитесь @home, в локальной сети, с вами все должно быть в порядке.
Если вы находитесь в общественном Wi — Fi-просто не делайте этого сейчас