0

这是我的第一个 SO 问题,因此对冗长的代码表示歉意。我正在尝试使用create-react-app. 我运行了以下命令:

npx create-react-app jam-box --use-npm

因为我想使用 npm 而不是 yarn,并且一切正常,所以创建了项目样板。但是 react-scripts 的依赖项之一存在安全漏洞:

[Angie @ ~/jam-box](master)
$ npm audit

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server > yargs > yargs-parser    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 922235 scanned packages
  1 vulnerability requires manual review. See the full report for details.
[Angie @ ~/jam-box](master)
$

我试图运行npm audit fix,但没有奏效。我去了 webpack-dev-server github 和 create-react-app github,看起来他们已经在解决这个安全问题了,到两天前,这个问题已经修复并合并到 create-react-应用大师。

npm i react-scripts@latest在我的项目中运行时:

[Angie @ ~/jam-box](master)
$ npm i react-scripts@latest
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
npm WARN sass-loader@8.0.2 requires a peer of node-sass@^4.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN sass-loader@8.0.2 requires a peer of sass@^1.3.0 but none is installed. You must install peer dependencies yourself.
npm WARN sass-loader@8.0.2 requires a peer of fibers@>= 3.1.0 but none is installed. You must install peer dependencies yourself.
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.

+ react-scripts@3.4.1
updated 1 package and audited 922235 packages in 46.013s

2 packages are looking for funding
  run `npm fund` for details

found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

在尝试创建一个新create-react-app项目之前,我一直在等待这个问题,并在等待他们是否会解决它。但是今天我再次尝试运行npx create-react-app jam-box --use-npm时,安全漏洞仍然存在。我什至尝试运行npm install react-scripts@latest,但漏洞仍然存在。当我查看我的 package-lock.json 时,它说 react-scripts 仍在使用以前版本的 webpack-dev-server 而不是最新的 3.11.0 版本。我不知道为什么当我运行npx create-react-app它并没有反映 create-react-app 的最新主分支。我只想将 create-react-app 运行到最新版本,任何帮助将不胜感激。

npx create-react-app jam-box --use-npm
npx: installed 98 in 9.648s

Creating a new React app in /Users/Angie/jam-box.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...


> fsevents@1.2.13 install /Users/Angie/jam-box/node_modules/jest-haste-map/node_modules/fsevents
> node install.js

  SOLINK_MODULE(target) Release/.node
  CXX(target) Release/obj.target/fse/fsevents.o
  SOLINK_MODULE(target) Release/fse.node

> fsevents@1.2.13 install /Users/Angie/jam-box/node_modules/watchpack/node_modules/fsevents
> node install.js

  SOLINK_MODULE(target) Release/.node
  CXX(target) Release/obj.target/fse/fsevents.o
  SOLINK_MODULE(target) Release/fse.node

> fsevents@1.2.13 install /Users/Angie/jam-box/node_modules/webpack-dev-server/node_modules/fsevents
> node install.js

  SOLINK_MODULE(target) Release/.node
  CXX(target) Release/obj.target/fse/fsevents.o
  SOLINK_MODULE(target) Release/fse.node

> core-js@2.6.11 postinstall /Users/Angie/jam-box/node_modules/babel-runtime/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"


> core-js@3.6.5 postinstall /Users/Angie/jam-box/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"


> core-js-pure@3.6.5 postinstall /Users/Angie/jam-box/node_modules/core-js-pure
> node -e "try{require('./postinstall')}catch(e){}"

+ cra-template@1.0.3
+ react-scripts@3.4.1
+ react@16.13.1
+ react-dom@16.13.1
added 1620 packages from 760 contributors and audited 922030 packages in 107.471s

59 packages are looking for funding
  run `npm fund` for details

found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Initialized a git repository.

Installing template dependencies using npm...
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.

+ @testing-library/jest-dom@4.2.4
+ @testing-library/react@9.5.0
+ @testing-library/user-event@7.2.1
added 36 packages from 56 contributors and audited 922236 packages in 19.35s

59 packages are looking for funding
  run `npm fund` for details

found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details
Removing template package using npm...

npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.

removed 1 package and audited 922235 packages in 12.693s

59 packages are looking for funding
  run `npm fund` for details

found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Created git commit.

Success! Created jam-box at /Users/Angie/jam-box
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd jam-box
  npm start

Happy hacking!
4

1 回答 1

0

我一直在追查这个漏洞,希望也能修复它!

我的理解是 react-scripts 没有更新它们的依赖项以指向 webpack-dev-server 3.11.0。由于 webpack-dev-server 是 react-scripts 的依赖项,因此 react-scripts 需要在其代码库中更新它。这不是我们可以在依赖项中改变的东西。

正如您所指出的,webpack-dev-server 更新了他们对 yargs 的依赖以处理“yargs-parser (#2566) (41d1d0c) 中的安全漏洞”(webpack-dev-server 发布说明:https ://github.com /webpack/webpack-dev-server/releases)。

但是 react-scripts(由 create-react-app https://github.com/facebook/create-react-app/tree/master/packages/react-scripts维护和使用)尚未更新它们对 webpack 的依赖-dev-server 使用新的 3.11.0 版本。

我认为这可以作为一个问题向他们提出,要求他们更新他们对 weback-dev-server 的依赖以指向最新的可以解决安全漏洞的依赖,但我不确定这是如何完成的诚实的。

于 2020-05-11T21:17:38.003 回答