npm - 尽管将包移动到 `devDependencies`,`npm audit --production` 仍然警告漏洞
问题描述
我创建了一个反应应用程序,npx create-react-app myapp
并充满了漏洞。我按照这个github 问题中的说明将包移动到devDependencies
我的package.json
文件中,因为任何“漏洞”只会存在于我的本地开发笔记本电脑上。但是,当我npm audit --production
按照建议运行时,我仍然看到大量有关漏洞的警告。我忘记做某事了吗?这是我的package.json
文件。
{
"name": "myapp",
"version": "0.1.0",
"private": true,
"dependencies": {
"@testing-library/jest-dom": "^5.15.0",
"@testing-library/react": "^11.2.7",
"@testing-library/user-event": "^12.8.3",
"react": "^17.0.2",
"react-dom": "^17.0.2",
"web-vitals": "^1.1.2"
},
"devDependencies": {
"react-scripts": "4.0.3"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"eslintConfig": {
"extends": [
"react-app",
"react-app/jest"
]
},
"browserslist": {
"production": [
">0.2%",
"not dead",
"not op_mini all"
],
"development": [
"last 1 chrome version",
"last 1 firefox version",
"last 1 safari version"
]
}
}
这些是我看到的漏洞react-scripts
tpulliam@lappy:~/Desktop/code/myapp (master) $ npm audit --production
# npm audit report
ansi-html *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@0.9.5, which is a breaking change
node_modules/ansi-html
@pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of webpack-dev-server
node_modules/@pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of babel-jest
...
...
解决方案
所以我实际上解决了我的问题。我所做的只是
rm -fr node_modules/ package-lock.json && npm install
修改 package.json 文件后。
之后,npm audit --production
显示0个漏洞。
推荐阅读
- amazon-web-services - dynamodb 流中序列号的生命周期
- django - Django 测试 Forms.FileField
- ajax - 函数内部的 Ajax 警报不起作用
- arrays - 如何在JS中连接Buffer数据和writeFile?
- javascript - 如何在不拆分的情况下在 javascript 函数中使用已传递到 pug 模板的数组?
- elasticsearch - 返回文档在字段中仅包含一个值
- python-3.x - 使用 pyvisa 配置 USB 设备时出错
- sql - SQL查询根据时间戳增加行值
- python - 我正在尝试更新数据库中的任务,但它不断创建新任务
- c# - 多种webapi参数绑定