我的 React 应用程序出现无法修复的高严重性警告,我该如何解决?
Posted
技术标签:
【中文标题】我的 React 应用程序出现无法修复的高严重性警告,我该如何解决?【英文标题】:My React App has unfixable High Severity warnings, how do I fix this? 【发布时间】:2021-05-22 22:23:58 【问题描述】: 我为一个 react 应用克隆了我的 repo。 跑npm i
收到 3 条高严重性警告。
在尝试修复 (npm audit fix --force) 时,我总共发现了 31 个漏洞
以下是警告:
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated core-js@2.6.12: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
added 1988 packages, and audited 1988 packages in 8s
126 packages are looking for funding
run `npm fund` for details
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
这是审计显示的:
# npm audit report
immer <8.0.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1603
fix available via `npm audit fix --force`
Will install react-scripts@2.0.5, which is a breaking change
node_modules/immer
react-dev-utils >=6.0.6-next.9b4009d7
Depends on vulnerable versions of immer
node_modules/react-dev-utils
react-scripts >=2.0.6-next.9b4009d7
Depends on vulnerable versions of react-dev-utils
node_modules/react-scripts
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
【问题讨论】:
我对 react-scripts 4.0.3 有同样的问题。你能解决这个问题吗? 似乎the official advise 是要忽略它(不仅是这种情况,因为它有修复,而是react-script
依赖项中的所有漏洞情况。通常我认为忽略安全警告是可怕的想法,但他们在这张票中做了一个很好的案例(这是 Facebook 说的,而不是“互联网上的某个家伙”,所以他们可能考虑过)。
【参考方案1】:
我昨天和今天早上为这个问题争论了几个小时,发现这个帖子似乎是原因:
https://github.com/facebook/create-react-app/issues/10411
以及这个提议的修复:
https://github.com/facebook/create-react-app/pull/10412
看起来这是 immer、react-scripts 和 react-dev-tools 的依赖问题。他们说他们会尝试在本周末推出更新,所以我会期待早日发布。
【讨论】:
【参考方案2】:我想我今天遇到了同样的问题。
npm update react-dev-utils --depth 2
进入控制台帮助我并解决了以下问题:
高原型污染
包沉浸
react-scripts 的依赖
路径 react-scripts > react-dev-utils > immer
更多信息https://nodesecurity.io/advisories/1603
【讨论】:
以上是关于我的 React 应用程序出现无法修复的高严重性警告,我该如何解决?的主要内容,如果未能解决你的问题,请参考以下文章
ReactJS:运行 create react-app 时存在中等严重性漏洞
谷歌也微软附体:安卓WebView出现严重故障导致大量APP崩溃问题