ReactJS：运行创建react-app时出现中等严重程度的漏洞

Question

在运行 npx create-react-app my-app 时，我遇到了 10 个中等严重程度的漏洞。即使运行 npmauditfix 或 npmauditfix--force 后也无法修复。当我运行 npmauditfix --force 时，我得到了 44 个漏洞（25 个低漏洞、5 个中漏洞、14 个高漏洞），然后，如果我运行相同的命令来修复，我会得到 10 个中等严重漏洞。每次我运行命令时，这种情况都会持续循环。

$ npm audit
# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747  
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751  
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
          react-scripts  >=0.10.0-alpha.328cb32e
          Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar
    node_modules/webpack-dev-server
      @pmmmwh/react-refresh-webpack-plugin  0.3.1 - 0.5.0-rc.6
      Depends on vulnerable versions of webpack-dev-server
      node_modules/react-scripts/node_modules/@pmmmwh/react-refresh-webpack-plugin

10 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Answer 1

你必须跑npm audit --production而不是npm audit。这是一个已知问题，尚未得到真正的解决。这些都应该在您的 devDependency 中，并且不会对您的生产版本产生任何安全影响。

在此处阅读有关开发依赖项与依赖项的更多信息。

在react-create-app Github中了解更多相关信息。