我正在使用 preact-cli 建立一个 preact 项目:
npx --version # 7.4.0
npx preact-cli create typescript frontend
这告诉我:
...
added 1947 packages, and audited 1948 packages in 31s
129 packages are looking for funding
run `npm fund` for details
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
✔ Done!
仅运行默认设置后的 3 个高安全漏洞!?
这听起来不是很让人放心。
npm audit fix
...
fix available via `npm audit fix --force`
Will install preact-cli@2.2.1, which is a breaking change
好的,显然 npm fix 想要降级 preact-cli。那我们走吧:
npm audit fix --force
...
fix available via `npm audit fix --force`
Will install preact-cli@3.0.5, which is a breaking change
node_modules/preact-cli/node_modules/webpack-dev-server/node_modules/yargs-parser
node_modules/preact-cli/node_modules/yargs-parser
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/preact-cli/node_modules/webpack-dev-server/node_modules/yargs
node_modules/preact-cli/node_modules/yargs
preact-cli 1.0.0 - 3.0.0-next.3
Depends on vulnerable versions of extract-text-webpack-plugin
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of yargs
node_modules/preact-cli
webpack 2.1.0-beta.8 - 4.0.0-alpha.0
Depends on vulnerable versions of yargs
node_modules/preact-cli/node_modules/webpack
extract-text-webpack-plugin 2.0.0-beta.0 - 3.0.2
Depends on vulnerable versions of webpack
node_modules/preact-cli/node_modules/extract-text-webpack-plugin
webpack-dev-server 2.0.0-beta - 3.10.3
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/preact-cli/node_modules/webpack-dev-server
17 vulnerabilities (7 low, 8 moderate, 2 high)
是的,降级到 2.2.1 会引入新的漏洞。它们可以通过撤消降级并返回到 3.0.5 来解决。
这是一个循环,npm audit fix --force 只是在 preact-cli 的 3.0.5 和 2.2.1 版本之间来回切换。
一些上下文: 这似乎是一个已知问题。