ReactJS：运行 create react-app 时存在中等严重性漏洞

Posted 2023-03-26

【中文标题】ReactJS：运行 create react-app 时存在中等严重性漏洞

【英文标题】：ReactJS : Moderate severity vulnerabilities while running create react-app

【发布时间】：2021-11-21 05:10:36

【问题描述】：

在运行 npx create-react-app my-app 时，我遇到了 10 个中等严重性漏洞。即使在运行 npm audit fix 或 npm audit fix --force 后也无法修复。当我运行 npm audit fix --force 时，我得到更多 44 个漏洞（25 个低、5 个中等、14 个高），然后如果我再次运行相同的命令来修复，我得到 10 个中等严重性漏洞。每次我运行命令时，这都会循环进行。

$ npm audit
# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747  
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751  
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
          react-scripts  >=0.10.0-alpha.328cb32e
          Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar
    node_modules/webpack-dev-server
      @pmmmwh/react-refresh-webpack-plugin  0.3.1 - 0.5.0-rc.6
      Depends on vulnerable versions of webpack-dev-server
      node_modules/react-scripts/node_modules/@pmmmwh/react-refresh-webpack-plugin

10 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

【参考方案1】：

您必须运行 npm audit --production 而不是 npm audit。这是一个没有真正修复的已知问题。这些都应该在您的 devDependencies 中，并且不会对您的生产构建产生任何安全影响。

阅读更多关于开发依赖与依赖here.

在react-create-app Github 中了解更多信息。

【参考方案2】：

这些漏洞似乎来自开发依赖项，因此您可能不必修复这些漏洞。

React 开发人员和 Redux 的创建者之一 Dan Abramov 写了一篇文章解释了这一点 https://overreacted.io/npm-audit-broken-by-design/

【讨论】：

Dan Abramov 在 Github 问题中为 Create-React-App 写了另一个（更短的）解释，解释了为什么这些不是实际漏洞：Help, npm audit says I have a vulnerability in react-scripts! issue #11174github.com/facebook/create-react-app/issues/11174