npm install issue：27 个漏洞（16 个中等，9 个高，2 个严重）要解决所有问题，运行：npm audit fix --force

Posted 2023-02-21

【中文标题】npm install issue：27 个漏洞（16 个中等，9 个高，2 个严重）要解决所有问题，运行：npm audit fix --force

【英文标题】：npm install issue : 27 vulnerabilities (16 moderate, 9 high, 2 critical) To address all issues , run: npm audit fix --force

【发布时间】：2022-01-10 17:38:21

【问题描述】：

当我在相关的react项目文件夹中输入npm install时，安装节点模块后返回此错误

27 vulnerabilities (16 moderate, 9 high, 2 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

npm audit fix --force 给出了这个输出 =>

npm WARN using --force Recommended protections disabled.
npm WARN audit Updating react-scripts to 0.9.5,which is a SemVer major change.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated eslint-loader@1.6.0: This loader has been deprecated. Please use eslint-webpack-plugin
npm WARN deprecated extract-text-webpack-plugin@1.0.1: Deprecated. Please use https://github.com/webpack-contrib/mini-css-extract-plugin
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated sane@1.4.1: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated chokidar@1.7.0: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated babel-eslint@7.1.1: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated html-webpack-plugin@2.24.0: out of support
npm WARN deprecated svgo@0.7.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

added 395 packages, removed 1253 packages, changed 287 packages, and audited 1099 packages in 3m

22 packages are looking for funding
  run `npm fund` for details

# npm audit report

ansi-html  *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/ansi-html
  react-dev-utils  0.2.0 - 11.0.3
  Depends on vulnerable versions of ansi-html
  node_modules/react-dev-utils
    react-scripts  0.1.0 - 4.0.0-next.117
    Depends on vulnerable versions of eslint-plugin-import
    Depends on vulnerable versions of http-proxy-middleware
    Depends on vulnerable versions of jest
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of url-loader
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

braces  <2.3.1
Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/braces
  micromatch  0.2.0 - 2.3.11
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of parse-glob
  node_modules/micromatch
    anymatch  1.2.0 - 1.3.2
    Depends on vulnerable versions of micromatch
    node_modules/anymatch
      chokidar  1.0.0-rc1 - 2.1.8
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of glob-parent
      node_modules/chokidar
        watchpack  0.2.2 - 1.6.1
        Depends on vulnerable versions of chokidar
        node_modules/watchpack
    http-proxy-middleware  0.3.0 - 0.17.4
    Depends on vulnerable versions of micromatch
    node_modules/http-proxy-middleware
      react-scripts  0.1.0 - 4.0.0-next.117
      Depends on vulnerable versions of eslint-plugin-import
      Depends on vulnerable versions of http-proxy-middleware
      Depends on vulnerable versions of jest
      Depends on vulnerable versions of react-dev-utils
      Depends on vulnerable versions of url-loader
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/react-scripts
      webpack-dev-server  <=3.1.10
      Depends on vulnerable versions of http-proxy-middleware
      Depends on vulnerable versions of open
      Depends on vulnerable versions of optimist
      node_modules/webpack-dev-server
    jest-haste-map  16.1.0-alpha.691b0e22 - 24.0.0
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of sane
    node_modules/jest-haste-map
      jest-resolve  18.1.0 - 19.0.2
      Depends on vulnerable versions of jest-haste-map
      node_modules/jest-resolve
        jest-cli  0.5.5 - 24.1.0
        Depends on vulnerable versions of jest-config
        Depends on vulnerable versions of jest-resolve
        Depends on vulnerable versions of jest-runtime
        Depends on vulnerable versions of node-notifier
        Depends on vulnerable versions of sane
        Depends on vulnerable versions of yargs
        node_modules/jest-cli
          jest  13.3.0-alpha.4eb0c908 - 23.6.0
          Depends on vulnerable versions of jest-cli
          node_modules/jest
        jest-config  18.1.0 - 19.0.4
        Depends on vulnerable versions of jest-resolve
        node_modules/jest-config
        jest-resolve-dependencies  18.1.0
        Depends on vulnerable versions of jest-resolve
        node_modules/jest-resolve-dependencies
        jest-runtime  12.1.1-alpha.2935e14d - 24.0.0-alpha.16
        Depends on vulnerable versions of babel-jest
        Depends on vulnerable versions of babel-plugin-istanbul
        Depends on vulnerable versions of jest-haste-map
        Depends on vulnerable versions of jest-resolve
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of yargs
        node_modules/jest-runtime
    test-exclude  <=4.2.3
    Depends on vulnerable versions of micromatch
    node_modules/test-exclude
      babel-plugin-istanbul  <=5.0.0
      Depends on vulnerable versions of test-exclude
      node_modules/babel-plugin-istanbul
        babel-jest  14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
        Depends on vulnerable versions of babel-plugin-istanbul
        node_modules/babel-jest

color-string  <1.5.5
Severity: moderate
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-257v-vj4p-3w2h
fix available via `npm audit fix`
node_modules/color-string
  color  <=0.11.4
  Depends on vulnerable versions of color-string
  node_modules/color
    colormin  *
    Depends on vulnerable versions of color
    node_modules/colormin
      postcss-colormin  <=2.2.2
      Depends on vulnerable versions of colormin
      node_modules/postcss-colormin
        cssnano  <=3.10.0
        Depends on vulnerable versions of postcss-colormin
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano

debug  <2.6.9
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/eslint-module-utils/node_modules/debug
  eslint-module-utils  1.0.0-beta.0 - 2.0.0
  Depends on vulnerable versions of debug
  node_modules/eslint-module-utils
    eslint-plugin-import  2.0.0-beta.0 - 2.1.0
    Depends on vulnerable versions of eslint-module-utils
    node_modules/eslint-plugin-import
      react-scripts  0.1.0 - 4.0.0-next.117
      Depends on vulnerable versions of eslint-plugin-import
      Depends on vulnerable versions of http-proxy-middleware
      Depends on vulnerable versions of jest
      Depends on vulnerable versions of react-dev-utils
      Depends on vulnerable versions of url-loader
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/react-scripts

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of anymatch
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    watchpack  0.2.2 - 1.6.1
    Depends on vulnerable versions of chokidar
    node_modules/watchpack
  glob-base  *
  Depends on vulnerable versions of glob-parent
  node_modules/glob-base
    parse-glob  >=2.1.0
    Depends on vulnerable versions of glob-base
    node_modules/parse-glob
      micromatch  0.2.0 - 2.3.11
      Depends on vulnerable versions of braces
      Depends on vulnerable versions of parse-glob
      node_modules/micromatch
        anymatch  1.2.0 - 1.3.2
        Depends on vulnerable versions of micromatch
        node_modules/anymatch
        http-proxy-middleware  0.3.0 - 0.17.4
        Depends on vulnerable versions of micromatch
        node_modules/http-proxy-middleware
          react-scripts  0.1.0 - 4.0.0-next.117
          Depends on vulnerable versions of eslint-plugin-import
          Depends on vulnerable versions of http-proxy-middleware
          Depends on vulnerable versions of jest
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of url-loader
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
          webpack-dev-server  <=3.1.10
          Depends on vulnerable versions of http-proxy-middleware
          Depends on vulnerable versions of open
          Depends on vulnerable versions of optimist
          node_modules/webpack-dev-server
        jest-haste-map  16.1.0-alpha.691b0e22 - 24.0.0
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of sane
        node_modules/jest-haste-map
          jest-resolve  18.1.0 - 19.0.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/jest-resolve
            jest-cli  0.5.5 - 24.1.0
            Depends on vulnerable versions of jest-config
            Depends on vulnerable versions of jest-resolve
            Depends on vulnerable versions of jest-runtime
            Depends on vulnerable versions of node-notifier
            Depends on vulnerable versions of sane
            Depends on vulnerable versions of yargs
            node_modules/jest-cli
              jest  13.3.0-alpha.4eb0c908 - 23.6.0
              Depends on vulnerable versions of jest-cli
              node_modules/jest
            jest-config  18.1.0 - 19.0.4
            Depends on vulnerable versions of jest-resolve
            node_modules/jest-config
            jest-resolve-dependencies  18.1.0
            Depends on vulnerable versions of jest-resolve
            node_modules/jest-resolve-dependencies
            jest-runtime  12.1.1-alpha.2935e14d - 24.0.0-alpha.16
            Depends on vulnerable versions of babel-jest
            Depends on vulnerable versions of babel-plugin-istanbul
            Depends on vulnerable versions of jest-haste-map
            Depends on vulnerable versions of jest-resolve
            Depends on vulnerable versions of micromatch
            Depends on vulnerable versions of yargs
            node_modules/jest-runtime
        test-exclude  <=4.2.3
        Depends on vulnerable versions of micromatch
        node_modules/test-exclude
          babel-plugin-istanbul  <=5.0.0
          Depends on vulnerable versions of test-exclude
          node_modules/babel-plugin-istanbul
            babel-jest  14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
            Depends on vulnerable versions of babel-plugin-istanbul
            node_modules/babel-jest

is-svg  2.1.0 - 4.2.1
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-7r28-3m3f-r2pr
fix available via `npm audit fix`
node_modules/is-svg

js-yaml  <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix`
node_modules/svgo/node_modules/js-yaml
  svgo  0.4.2 - 1.0.5
  Depends on vulnerable versions of js-yaml
  node_modules/svgo
    postcss-svgo  <=2.1.6
    Depends on vulnerable versions of svgo
    node_modules/postcss-svgo
      cssnano  <=3.10.0
      Depends on vulnerable versions of postcss-colormin
      Depends on vulnerable versions of postcss-svgo
      node_modules/cssnano

merge  <2.1.1
Severity: high
Prototype Pollution in merge - https://github.com/advisories/GHSA-7wpw-2hjm-89gp
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/merge
  exec-sh  <=0.3.1
  Depends on vulnerable versions of merge
  node_modules/exec-sh
    sane  1.0.4 - 4.0.1
    Depends on vulnerable versions of exec-sh
    node_modules/sane
      jest-cli  0.5.5 - 24.1.0
      Depends on vulnerable versions of jest-config
      Depends on vulnerable versions of jest-resolve
      Depends on vulnerable versions of jest-runtime
      Depends on vulnerable versions of node-notifier
      Depends on vulnerable versions of sane
      Depends on vulnerable versions of yargs
      node_modules/jest-cli
        jest  13.3.0-alpha.4eb0c908 - 23.6.0
        Depends on vulnerable versions of jest-cli
        node_modules/jest
          react-scripts  0.1.0 - 4.0.0-next.117
          Depends on vulnerable versions of eslint-plugin-import
          Depends on vulnerable versions of http-proxy-middleware
          Depends on vulnerable versions of jest
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of url-loader
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
      jest-haste-map  16.1.0-alpha.691b0e22 - 24.0.0
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of sane
      node_modules/jest-haste-map
        jest-resolve  18.1.0 - 19.0.2
        Depends on vulnerable versions of jest-haste-map
        node_modules/jest-resolve
          jest-config  18.1.0 - 19.0.4
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-config
          jest-resolve-dependencies  18.1.0
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-resolve-dependencies
          jest-runtime  12.1.1-alpha.2935e14d - 24.0.0-alpha.16
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of babel-plugin-istanbul
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-resolve
          Depends on vulnerable versions of micromatch
          Depends on vulnerable versions of yargs
          node_modules/jest-runtime

mime  <1.4.1
Severity: moderate
Regular Expression Denial of Service in mime - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/mime
  url-loader  0.5.5 - 0.5.9
  Depends on vulnerable versions of mime
  node_modules/url-loader
    react-scripts  0.1.0 - 4.0.0-next.117
    Depends on vulnerable versions of eslint-plugin-import
    Depends on vulnerable versions of http-proxy-middleware
    Depends on vulnerable versions of jest
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of url-loader
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

minimist  <0.2.1
Severity: moderate
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/optimist/node_modules/minimist
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist
    webpack  0.11.0-beta1 - 2.0.2-beta
    Depends on vulnerable versions of optimist
    node_modules/webpack
      extract-text-webpack-plugin  <=1.0.1
      Depends on vulnerable versions of webpack
      node_modules/extract-text-webpack-plugin
      react-scripts  0.1.0 - 4.0.0-next.117
      Depends on vulnerable versions of eslint-plugin-import
      Depends on vulnerable versions of http-proxy-middleware
      Depends on vulnerable versions of jest
      Depends on vulnerable versions of react-dev-utils
      Depends on vulnerable versions of url-loader
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/react-scripts
    webpack-dev-server  <=3.1.10
    Depends on vulnerable versions of http-proxy-middleware
    Depends on vulnerable versions of open
    Depends on vulnerable versions of optimist
    node_modules/webpack-dev-server

node-notifier  <8.0.1
Severity: moderate
OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/node-notifier
  jest-cli  0.5.5 - 24.1.0
  Depends on vulnerable versions of jest-config
  Depends on vulnerable versions of jest-resolve
  Depends on vulnerable versions of jest-runtime
  Depends on vulnerable versions of node-notifier
  Depends on vulnerable versions of sane
  Depends on vulnerable versions of yargs
  node_modules/jest-cli
    jest  13.3.0-alpha.4eb0c908 - 23.6.0
    Depends on vulnerable versions of jest-cli
    node_modules/jest
      react-scripts  0.1.0 - 4.0.0-next.117
      Depends on vulnerable versions of eslint-plugin-import
      Depends on vulnerable versions of http-proxy-middleware
      Depends on vulnerable versions of jest
      Depends on vulnerable versions of react-dev-utils
      Depends on vulnerable versions of url-loader
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/react-scripts

open  <6.0.0
Severity: critical
Command Injection in open - https://github.com/advisories/GHSA-28xh-wpgr-7fm8
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/open
  webpack-dev-server  <=3.1.10
  Depends on vulnerable versions of http-proxy-middleware
  Depends on vulnerable versions of open
  Depends on vulnerable versions of optimist
  node_modules/webpack-dev-server
    react-scripts  0.1.0 - 4.0.0-next.117
    Depends on vulnerable versions of eslint-plugin-import
    Depends on vulnerable versions of http-proxy-middleware
    Depends on vulnerable versions of jest
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of url-loader
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

react-dev-utils  0.2.0 - 11.0.3
Severity: high
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of ansi-html
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/react-dev-utils
  react-scripts  0.1.0 - 4.0.0-next.117
  Depends on vulnerable versions of eslint-plugin-import
  Depends on vulnerable versions of http-proxy-middleware
  Depends on vulnerable versions of jest
  Depends on vulnerable versions of react-dev-utils
  Depends on vulnerable versions of url-loader
  Depends on vulnerable versions of webpack
  Depends on vulnerable versions of webpack-dev-server
  node_modules/react-scripts

webpack-dev-server  <=3.1.10
Severity: critical
Missing Origin Validation in webpack-dev-server - https://github.com/advisories/GHSA-cf66-xwfp-gvc4
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/webpack-dev-server
  react-scripts  0.1.0 - 4.0.0-next.117
  Depends on vulnerable versions of eslint-plugin-import
  Depends on vulnerable versions of http-proxy-middleware
  Depends on vulnerable versions of jest
  Depends on vulnerable versions of react-dev-utils
  Depends on vulnerable versions of url-loader
  Depends on vulnerable versions of webpack
  Depends on vulnerable versions of webpack-dev-server
  node_modules/react-scripts

yargs-parser  <=5.0.0
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    jest-cli  0.5.5 - 24.1.0
    Depends on vulnerable versions of jest-config
    Depends on vulnerable versions of jest-resolve
    Depends on vulnerable versions of jest-runtime
    Depends on vulnerable versions of node-notifier
    Depends on vulnerable versions of sane
    Depends on vulnerable versions of yargs
      jest  13.3.0-alpha.4eb0c908 - 23.6.0
      Depends on vulnerable versions of jest-cli
      node_modules/jest
        react-scripts  0.1.0 - 4.0.0-next.117
        Depends on vulnerable versions of eslint-plugin-import
        Depends on vulnerable versions of http-proxy-middleware
        Depends on vulnerable versions of jest
        Depends on vulnerable versions of react-dev-utils
        Depends on vulnerable versions of url-loader
        Depends on vulnerable versions of webpack
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts
    jest-runtime  12.1.1-alpha.2935e14d - 24.0.0-alpha.16
    Depends on vulnerable versions of babel-jest
    Depends on vulnerable versions of babel-plugin-istanbul
    Depends on vulnerable versions of jest-haste-map
    Depends on vulnerable versions of jest-resolve
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of yargs
    node_modules/jest-runtime

48 vulnerabilities (12 low, 18 moderate, 16 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

这在几周前运行良好，我什至清除了 npm 缓存，但问题仍然存在。 请在这个问题上帮助我。谢谢

【问题讨论】：

你使用的是什么版本的节点？

【参考方案1】：

您需要运行 npm auidt fix，如果它不起作用，请尝试 npm audit fix --force

【讨论】：

您的答案可以通过额外的支持信息得到改进。请edit 添加更多详细信息，例如引用或文档，以便其他人可以确认您的答案是正确的。你可以找到更多关于如何写好答案的信息in the help center。

【参考方案2】：

我遇到了同样的问题，漏洞数量完全相同。

查看解决方案here

【讨论】：

谢谢。它在那里清楚地解释了