admin管理员组文章数量:1402778
I started learning react and created my first app by running:
'npx create-react-app my-app'
After the app was built I got a warning in the terminal that says:
22 vulnerabilities (9 moderate, 13 high)
I tried to fix it by running:
'npm audit fix'
But it returned this:
npm ERR! code ERESOLVE npm ERR! ERESOLVE unable to resolve dependency tree npm ERR! npm ERR! Found: [email protected] npm ERR! node_modules/type-fest npm ERR! type-fest@"^0.21.3" from [email protected] npm ERR! node_modules/ansi-escapes npm ERR! ansi-escapes@"^4.2.1" from @jest/[email protected] npm ERR! node_modules/@jest/core npm ERR! @jest/core@"^26.6.0" from [email protected] npm ERR! node_modules/jest npm ERR! peer jest@"^26.0.0" from [email protected] npm ERR! node_modules/jest-watch-typeahead npm ERR! 1 more (react-scripts) npm ERR! 1 more (jest-cli) npm ERR! ansi-escapes@"^4.3.1" from [email protected] npm ERR! node_modules/jest-watch-typeahead npm ERR! jest-watch-typeahead@"0.6.1" from [email protected] npm ERR! node_modules/react-scripts npm ERR! react-scripts@"4.0.3" from the root project npm ERR! 2 more (jest-watcher, terminal-link) npm ERR! npm ERR! Could not resolve dependency: npm ERR! peerOptional type-fest@"^0.13.1" from @pmmmwh/[email protected] npm ERR! node_modules/@pmmmwh/react-refresh-webpack-plugin npm ERR! @pmmmwh/react-refresh-webpack-plugin@"0.4.3" from [email protected] npm ERR! node_modules/react-scripts npm ERR! react-scripts@"4.0.3" from the root project npm ERR! npm ERR! Fix the upstream dependency conflict, or retry npm ERR! this mand with --force, or --legacy-peer-deps npm ERR! to accept an incorrect (and potentially broken) dependency resolution. npm ERR! npm ERR! See /home/azizdragon/.npm/eresolve-report.txt for a full report.
npm ERR! A plete log of this run can be found in: npm ERR!
/home/azizdragon/.npm/_logs/2021-06-23T03_09_31_663Z-debug.log
I tried deleting the package-lock.json file and node_modules folder and run:
npm install
But it resulted in the same vulnerabilities, here is the report when I run "npm audit":
browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service - fix available via
npm audit fix --forceWill install [email protected], which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils >=6.0.0-next.03604a46 Depends on vulnerable versions of browserslist node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scriptscss-what <5.0.1 Severity: high Denial of Service - fix available via
npm audit fix --forceWill install [email protected], which is a breaking change node_modules/svgo/node_modules/css-what css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/svgo/node_modules/css-select svgo >=1.0.0 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo * Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack >=4.0.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-svgo >=4.0.0-nightly.2020.1.9 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.4 || 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-pluginglob-parent <5.1.2 Severity: moderate Regular expression denial of service - fix available via
npm audit fix --forceWill install [email protected], which is a breaking change node_modules/watchpack-chokidar2/node_modules/glob-parent node_modules/webpack-dev-server/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 3.11.2 Depends on vulnerable versions of chokidar node_modules/webpack-dev-server @pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4 Depends on vulnerable versions of webpack-dev-server node_modules/@pmmmwh/react-refresh-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scriptsnormalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0 Severity: high Regular Expression Denial of Service - fix available via
npm audit fix --forceWill install [email protected], which is a breaking change node_modules/normalize-url node_modules/postcss-normalize-url/node_modules/normalize-url
mini-css-extract-plugin 0.6.0 - 1.0.0 Depends on vulnerable versions of normalize-url node_modules/mini-css-extract-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-normalize-url <=4.0.1 Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.4 || 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin22 vulnerabilities (9 moderate, 13 high)
To address issues that do not require attention, run: npm audit fix
To address all issues (including breaking changes), run: npm audit fix --force
Should I use npm audit fix --force? If it helps, I run Linux Mint 18.3 Cinnamon 64-bit Node version: v16.0.0 NPM version: 7.18.1
Thanks in advance.
I started learning react and created my first app by running:
'npx create-react-app my-app'
After the app was built I got a warning in the terminal that says:
22 vulnerabilities (9 moderate, 13 high)
I tried to fix it by running:
'npm audit fix'
But it returned this:
npm ERR! code ERESOLVE npm ERR! ERESOLVE unable to resolve dependency tree npm ERR! npm ERR! Found: [email protected] npm ERR! node_modules/type-fest npm ERR! type-fest@"^0.21.3" from [email protected] npm ERR! node_modules/ansi-escapes npm ERR! ansi-escapes@"^4.2.1" from @jest/[email protected] npm ERR! node_modules/@jest/core npm ERR! @jest/core@"^26.6.0" from [email protected] npm ERR! node_modules/jest npm ERR! peer jest@"^26.0.0" from [email protected] npm ERR! node_modules/jest-watch-typeahead npm ERR! 1 more (react-scripts) npm ERR! 1 more (jest-cli) npm ERR! ansi-escapes@"^4.3.1" from [email protected] npm ERR! node_modules/jest-watch-typeahead npm ERR! jest-watch-typeahead@"0.6.1" from [email protected] npm ERR! node_modules/react-scripts npm ERR! react-scripts@"4.0.3" from the root project npm ERR! 2 more (jest-watcher, terminal-link) npm ERR! npm ERR! Could not resolve dependency: npm ERR! peerOptional type-fest@"^0.13.1" from @pmmmwh/[email protected] npm ERR! node_modules/@pmmmwh/react-refresh-webpack-plugin npm ERR! @pmmmwh/react-refresh-webpack-plugin@"0.4.3" from [email protected] npm ERR! node_modules/react-scripts npm ERR! react-scripts@"4.0.3" from the root project npm ERR! npm ERR! Fix the upstream dependency conflict, or retry npm ERR! this mand with --force, or --legacy-peer-deps npm ERR! to accept an incorrect (and potentially broken) dependency resolution. npm ERR! npm ERR! See /home/azizdragon/.npm/eresolve-report.txt for a full report.
npm ERR! A plete log of this run can be found in: npm ERR!
/home/azizdragon/.npm/_logs/2021-06-23T03_09_31_663Z-debug.log
I tried deleting the package-lock.json file and node_modules folder and run:
npm install
But it resulted in the same vulnerabilities, here is the report when I run "npm audit":
browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service - https://npmjs./advisories/1747 fix available via
npm audit fix --forceWill install [email protected], which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils >=6.0.0-next.03604a46 Depends on vulnerable versions of browserslist node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scriptscss-what <5.0.1 Severity: high Denial of Service - https://npmjs./advisories/1754 fix available via
npm audit fix --forceWill install [email protected], which is a breaking change node_modules/svgo/node_modules/css-what css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/svgo/node_modules/css-select svgo >=1.0.0 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo * Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack >=4.0.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-svgo >=4.0.0-nightly.2020.1.9 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.4 || 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-pluginglob-parent <5.1.2 Severity: moderate Regular expression denial of service - https://npmjs./advisories/1751 fix available via
npm audit fix --forceWill install [email protected], which is a breaking change node_modules/watchpack-chokidar2/node_modules/glob-parent node_modules/webpack-dev-server/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 3.11.2 Depends on vulnerable versions of chokidar node_modules/webpack-dev-server @pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4 Depends on vulnerable versions of webpack-dev-server node_modules/@pmmmwh/react-refresh-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scriptsnormalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0 Severity: high Regular Expression Denial of Service - https://npmjs./advisories/1755 fix available via
npm audit fix --forceWill install [email protected], which is a breaking change node_modules/normalize-url node_modules/postcss-normalize-url/node_modules/normalize-url
mini-css-extract-plugin 0.6.0 - 1.0.0 Depends on vulnerable versions of normalize-url node_modules/mini-css-extract-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-normalize-url <=4.0.1 Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.4 || 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin22 vulnerabilities (9 moderate, 13 high)
To address issues that do not require attention, run: npm audit fix
To address all issues (including breaking changes), run: npm audit fix --force
Should I use npm audit fix --force? If it helps, I run Linux Mint 18.3 Cinnamon 64-bit Node version: v16.0.0 NPM version: 7.18.1
Thanks in advance.
Share Improve this question asked Jun 23, 2021 at 3:24 aziz aonaziz aon 1532 silver badges9 bronze badges 4- Run npm audit fix a few more times, then I think the moderate number should decrease or the warnings will decrease each time and actually work again. I once solved it that way. – prod3v3loper Commented Jun 23, 2021 at 3:48
- got the same problem. being new to node ecosystem, I am getting worried now - if basic, standard script creates an app with so many critical vulnerabilities, what does it tell about the maturity of the tools... – alexakarpov Commented Jun 28, 2021 at 4:00
- Oddly enough I happened to have just read this blog post by Dan Abramov on this issue. The gist is that many of these vulnerabilities probably can't affect an application created with Create React App in practice because many of these dependencies are used only in development. – Matthew Daly Commented Jul 8, 2021 at 10:02
-
2
@alexakarpov Read overreacted.io/npm-audit-broken-by-design for more details, but it's not a reflection on the maturity of the tools, but of how the implementation of
npm auditis problematic. These issues might be a problem if you were using them in the context of a Node.js application where they were deployed to production, but in the context of Create React App they aren't. You only really need to worry about anything flagged bynpm audit --production. – Matthew Daly Commented Jul 8, 2021 at 10:21
2 Answers
Reset to default 4As Matthew Daly has mentioned in the ments following this blog post npm audit: Broken by Design by Dan Abramov, most of or maybe all warnings are related to development dependencies, so they will not affect your production build, and you don't need to worry about fixing them at all.
It doesn't mean that development dependencies' vulnerabilities are harmless in every situation, every package and every version.
In my experience, most of the time there is no way to resolve all issues using npm audit and almost always using npm audit --force will make the situation even worse and break your app.
So I ignore these warnings when I'm installing the latest version of a popular, highly maintained package like create-react-app.
Surely Maintainers of libraries like CRA are aware of these warnings and would fix them immediately if they were serious.
Another way to make sure that these warning are harmless is to check the reported issues of the create-react-app or any other library and see what the responses had been.
I highly remend you reading the mentioned article, npm audit: Broken by Design.
I am pretty sure CRA is no longer maintained. Vite is a good alternative if the application is purely front end.
https://medium./@dawid.niegrebecki/create-react-app-is-dead-what-to-use-instead-fcdd46b70295
本文标签: javascriptNpm vulnerabilities can39t be fixedStack Overflow
版权声明:本文标题:javascript - Npm vulnerabilities can't be fixed - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744314182a2600180.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论