npm - 尽管将包移动到 `devDependencies`，`npm audit --production` 仍然警告漏洞

问题描述

我创建了一个反应应用程序，npx create-react-app myapp并充满了漏洞。我按照这个github 问题中的说明将包移动到devDependencies我的package.json文件中，因为任何“漏洞”只会存在于我的本地开发笔记本电脑上。但是，当我npm audit --production按照建议运行时，我仍然看到大量有关漏洞的警告。我忘记做某事了吗？这是我的package.json文件。

{
  "name": "myapp",
  "version": "0.1.0",
  "private": true,
  "dependencies": {
    "@testing-library/jest-dom": "^5.15.0",
    "@testing-library/react": "^11.2.7",
    "@testing-library/user-event": "^12.8.3",
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
    "web-vitals": "^1.1.2"
  },
  "devDependencies": {
    "react-scripts": "4.0.3"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": [
      "react-app",
      "react-app/jest"
    ]
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

这些是我看到的漏洞react-scripts

tpulliam@lappy:~/Desktop/code/myapp (master) $ npm audit --production
# npm audit report

ansi-html  *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@0.9.5, which is a breaking change
node_modules/ansi-html
  @pmmmwh/react-refresh-webpack-plugin  <=0.5.0-rc.6
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of webpack-dev-server
  node_modules/@pmmmwh/react-refresh-webpack-plugin
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of babel-jest
...
...

标签： npmnpm-audit