npm 审核修复 --force 永远无法避免漏洞

2023-11-24

我陷入了这样的境地：要么有 22 个漏洞，要么有 47 个漏洞。我可以运行npm audit fix但我总是建议运行--force切换以便实际执行升级。从那里我可以升级并获得 22 个漏洞，然后执行--force再次获得 47 个漏洞，这个循环永远持续下去。最好的解决办法是什么，让包裹保持原样？

我的包.json

  "dependencies": {
    "animate.css": "^4.1.1",
    "axios": "^0.21.1",
    "bootstrap": "^4.5.3",
    "http-proxy-middleware": "^0.19.1",
    "react": "^17.0.1",
    "react-dom": "^17.0.1",
    "react-ga": "^3.3.0",
    "react-router-dom": "^5.2.0",
    "react-scripts": "^1.1.5",
    "universal-cookie": "^4.0.4",
    "web-vitals": "^0.2.4"
  },

当我尝试时npm --audit fix在一种情况下：

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! Found: [email protected]
npm ERR! node_modules/type-fest
npm ERR!   type-fest@"^0.21.3" from [email protected]
npm ERR!   node_modules/ansi-escapes
npm ERR!     ansi-escapes@"^4.2.1" from @jest/[email protected]
npm ERR!     node_modules/@jest/core
npm ERR!       @jest/core@"^26.6.0" from [email protected]
npm ERR!       node_modules/jest
npm ERR!         peer jest@"^26.0.0" from [email protected]
npm ERR!         node_modules/jest-watch-typeahead
npm ERR!         1 more (react-scripts)
npm ERR!       1 more (jest-cli)
npm ERR!     ansi-escapes@"^4.3.1" from [email protected]
npm ERR!     node_modules/jest-watch-typeahead
npm ERR!       jest-watch-typeahead@"0.6.1" from [email protected]
npm ERR!       node_modules/react-scripts
npm ERR!         react-scripts@"^4.0.3" from the root project
npm ERR!     2 more (jest-watcher, terminal-link)
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peerOptional type-fest@"^0.13.1" from @pmmmwh/react-re[email protected]
npm ERR! node_modules/@pmmmwh/react-refresh-webpack-plugin
npm ERR!   @pmmmwh/react-refresh-webpack-plugin@"0.4.3" from [email protected]
npm ERR!   node_modules/react-scripts
npm ERR!     react-scripts@"^4.0.3" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.

然后当我一个又一个地运行它时--force

# npm audit report

braces  <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/anymatch/node_modules/braces
node_modules/jest-cli/node_modules/braces
node_modules/jest-haste-map/node_modules/braces
node_modules/jest-message-util/node_modules/braces
node_modules/jest-runtime/node_modules/braces
node_modules/test-exclude/node_modules/braces
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/braces
  micromatch  0.2.0 - 2.3.11
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of parse-glob
  node_modules/anymatch/node_modules/micromatch
  node_modules/jest-cli/node_modules/micromatch
  node_modules/jest-haste-map/node_modules/micromatch
  node_modules/jest-message-util/node_modules/micromatch
  node_modules/jest-runtime/node_modules/micromatch
  node_modules/test-exclude/node_modules/micromatch
  node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/micromatch
    anymatch  1.2.0 - 1.3.2
    Depends on vulnerable versions of micromatch
    node_modules/anymatch
      sane  1.0.4 - 4.0.1
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of exec-sh
      node_modules/sane
        jest-haste-map  16.1.0-alpha.691b0e22 - 24.0.0
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of sane
        node_modules/jest-haste-map
          jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-jasmine2
          Depends on vulnerable versions of jest-message-util
          Depends on vulnerable versions of jest-snapshot
          Depends on vulnerable versions of micromatch
          Depends on vulnerable versions of yargs
          node_modules/jest-cli
            jest  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
            Depends on vulnerable versions of jest-cli
            node_modules/jest
              react-scripts  0.1.0 - 2.1.8
              Depends on vulnerable versions of babel-jest
              Depends on vulnerable versions of css-loader
              Depends on vulnerable versions of file-loader
              Depends on vulnerable versions of jest
              Depends on vulnerable versions of sw-precache-webpack-plugin
              Depends on vulnerable versions of webpack
              Depends on vulnerable versions of webpack-dev-server
              node_modules/react-scripts
          jest-runtime  12.1.1-alpha.2935e14d - 24.8.0
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of babel-plugin-istanbul
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-util
          Depends on vulnerable versions of micromatch
          Depends on vulnerable versions of yargs
          node_modules/jest-runtime
    http-proxy-middleware  0.3.0 - 0.17.4
    Depends on vulnerable versions of micromatch
    node_modules/webpack-dev-server/node_modules/http-proxy-middleware
      webpack-dev-server  <=3.11.2
      Depends on vulnerable versions of chokidar
      Depends on vulnerable versions of http-proxy-middleware
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of yargs
      node_modules/webpack-dev-server
    jest-message-util  18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
    Depends on vulnerable versions of micromatch
    node_modules/jest-message-util
      jest-jasmine2  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
      Depends on vulnerable versions of jest-matchers
      Depends on vulnerable versions of jest-message-util
      node_modules/jest-jasmine2
        jest-config  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
        Depends on vulnerable versions of jest-jasmine2
        node_modules/jest-config
      jest-matchers  >=18.5.0-alpha.7da3df39
      Depends on vulnerable versions of jest-message-util
      node_modules/jest-matchers
      jest-util  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
      Depends on vulnerable versions of jest-message-util
      node_modules/jest-util
        jest-environment-jsdom  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
        Depends on vulnerable versions of jest-util
        node_modules/jest-environment-jsdom
        jest-environment-node  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
        Depends on vulnerable versions of jest-util
        node_modules/jest-environment-node
        jest-snapshot  18.5.0-alpha.7da3df39 - 21.0.0-beta.1
        Depends on vulnerable versions of jest-util
        node_modules/jest-snapshot
    test-exclude  <=4.2.3
    Depends on vulnerable versions of micromatch
    node_modules/test-exclude
      babel-plugin-istanbul  <=5.0.0
      Depends on vulnerable versions of test-exclude
      node_modules/babel-plugin-istanbul
        babel-jest  14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
        Depends on vulnerable versions of babel-plugin-istanbul
        node_modules/babel-jest

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-base/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/webpack-dev-server/node_modules/chokidar
    webpack-dev-server  <=3.11.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of http-proxy-middleware
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of yargs
    node_modules/webpack-dev-server
      react-scripts  0.1.0 - 2.1.8
      Depends on vulnerable versions of babel-jest
      Depends on vulnerable versions of css-loader
      Depends on vulnerable versions of file-loader
      Depends on vulnerable versions of jest
      Depends on vulnerable versions of sw-precache-webpack-plugin
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/react-scripts
  glob-base  *
  Depends on vulnerable versions of glob-parent
  node_modules/glob-base
    parse-glob  >=2.1.0
    Depends on vulnerable versions of glob-base
    node_modules/parse-glob
      micromatch  0.2.0 - 2.3.11
      Depends on vulnerable versions of braces
      Depends on vulnerable versions of parse-glob
      node_modules/anymatch/node_modules/micromatch
      node_modules/jest-cli/node_modules/micromatch
      node_modules/jest-haste-map/node_modules/micromatch
      node_modules/jest-message-util/node_modules/micromatch
      node_modules/jest-runtime/node_modules/micromatch
      node_modules/test-exclude/node_modules/micromatch
      node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/micromatch
        anymatch  1.2.0 - 1.3.2
        Depends on vulnerable versions of micromatch
        node_modules/anymatch
          sane  1.0.4 - 4.0.1
          Depends on vulnerable versions of anymatch
          Depends on vulnerable versions of exec-sh
          node_modules/sane
            jest-haste-map  16.1.0-alpha.691b0e22 - 24.0.0
            Depends on vulnerable versions of micromatch
            Depends on vulnerable versions of sane
            node_modules/jest-haste-map
              jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-jasmine2
              Depends on vulnerable versions of jest-message-util
              Depends on vulnerable versions of jest-snapshot
              Depends on vulnerable versions of micromatch
              Depends on vulnerable versions of yargs
              node_modules/jest-cli
                jest  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
                Depends on vulnerable versions of jest-cli
                node_modules/jest
              jest-runtime  12.1.1-alpha.2935e14d - 24.8.0
              Depends on vulnerable versions of babel-jest
              Depends on vulnerable versions of babel-plugin-istanbul
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-util
              Depends on vulnerable versions of micromatch
              Depends on vulnerable versions of yargs
              node_modules/jest-runtime
        http-proxy-middleware  0.3.0 - 0.17.4
        Depends on vulnerable versions of micromatch
        node_modules/webpack-dev-server/node_modules/http-proxy-middleware
        jest-message-util  18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
        Depends on vulnerable versions of micromatch
        node_modules/jest-message-util
          jest-jasmine2  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
          Depends on vulnerable versions of jest-matchers
          Depends on vulnerable versions of jest-message-util
          node_modules/jest-jasmine2
            jest-config  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
            Depends on vulnerable versions of jest-jasmine2
            node_modules/jest-config
          jest-matchers  >=18.5.0-alpha.7da3df39
          Depends on vulnerable versions of jest-message-util
          node_modules/jest-matchers
          jest-util  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
          Depends on vulnerable versions of jest-message-util
          node_modules/jest-util
            jest-environment-jsdom  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
            Depends on vulnerable versions of jest-util
            node_modules/jest-environment-jsdom
            jest-environment-node  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
            Depends on vulnerable versions of jest-util
            node_modules/jest-environment-node
            jest-snapshot  18.5.0-alpha.7da3df39 - 21.0.0-beta.1
            Depends on vulnerable versions of jest-util
            node_modules/jest-snapshot
        test-exclude  <=4.2.3
        Depends on vulnerable versions of micromatch
        node_modules/test-exclude
          babel-plugin-istanbul  <=5.0.0
          Depends on vulnerable versions of test-exclude
          node_modules/babel-plugin-istanbul
            babel-jest  14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
            Depends on vulnerable versions of babel-plugin-istanbul
            node_modules/babel-jest

js-yaml  <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/js-yaml
  svgo  0.4.2 - 1.0.5
  Depends on vulnerable versions of js-yaml
  node_modules/svgo
    postcss-svgo  <=2.1.6
    Depends on vulnerable versions of svgo
    node_modules/postcss-svgo
      cssnano  <=3.10.0
      Depends on vulnerable versions of postcss-normalize-url
      Depends on vulnerable versions of postcss-svgo
      node_modules/cssnano
        css-loader  0.15.0 - 0.28.11
        Depends on vulnerable versions of cssnano
        node_modules/css-loader
          react-scripts  0.1.0 - 2.1.8
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of css-loader
          Depends on vulnerable versions of file-loader
          Depends on vulnerable versions of jest
          Depends on vulnerable versions of sw-precache-webpack-plugin
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts

mem  <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/mem
  os-locale  2.0.0 - 3.0.0
  Depends on vulnerable versions of mem
  node_modules/webpack/node_modules/os-locale
    yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
    Depends on vulnerable versions of os-locale
    Depends on vulnerable versions of yargs-parser
    node_modules/webpack-dev-server/node_modules/yargs
    node_modules/webpack/node_modules/yargs
    node_modules/yargs
      jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
      Depends on vulnerable versions of jest-haste-map
      Depends on vulnerable versions of jest-jasmine2
      Depends on vulnerable versions of jest-message-util
      Depends on vulnerable versions of jest-snapshot
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of yargs
      node_modules/jest-cli
        jest  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
        Depends on vulnerable versions of jest-cli
        node_modules/jest
          react-scripts  0.1.0 - 2.1.8
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of css-loader
          Depends on vulnerable versions of file-loader
          Depends on vulnerable versions of jest
          Depends on vulnerable versions of sw-precache-webpack-plugin
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
      jest-runtime  12.1.1-alpha.2935e14d - 24.8.0
      Depends on vulnerable versions of babel-jest
      Depends on vulnerable versions of babel-plugin-istanbul
      Depends on vulnerable versions of jest-haste-map
      Depends on vulnerable versions of jest-util
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of yargs
      node_modules/jest-runtime
      webpack  2.0.0-beta - 4.0.0-beta.3
      Depends on vulnerable versions of yargs
      node_modules/webpack
        babel-loader  7.0.0-alpha.1 - 7.1.2 || 8.0.0-beta.0 - 8.0.0-beta.6
        Depends on vulnerable versions of webpack
        node_modules/babel-loader
        extract-text-webpack-plugin  2.0.0-beta.0 - 3.0.2
        Depends on vulnerable versions of webpack
        node_modules/extract-text-webpack-plugin
        file-loader  1.1.1 - 1.1.9
        Depends on vulnerable versions of webpack
        node_modules/file-loader
        webpack-dev-server  <=3.11.2
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of http-proxy-middleware
        Depends on vulnerable versions of webpack
        Depends on vulnerable versions of yargs
        node_modules/webpack-dev-server

merge  <2.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1666
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/merge
  exec-sh  <=0.3.1
  Depends on vulnerable versions of merge
  node_modules/exec-sh
    sane  1.0.4 - 4.0.1
    Depends on vulnerable versions of anymatch
    Depends on vulnerable versions of exec-sh
    node_modules/sane
      jest-haste-map  16.1.0-alpha.691b0e22 - 24.0.0
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of sane
      node_modules/jest-haste-map
        jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
        Depends on vulnerable versions of jest-haste-map
        Depends on vulnerable versions of jest-jasmine2
        Depends on vulnerable versions of jest-message-util
        Depends on vulnerable versions of jest-snapshot
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of yargs
        node_modules/jest-cli
          jest  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
          Depends on vulnerable versions of jest-cli
          node_modules/jest
            react-scripts  0.1.0 - 2.1.8
            Depends on vulnerable versions of babel-jest
            Depends on vulnerable versions of css-loader
            Depends on vulnerable versions of file-loader
            Depends on vulnerable versions of jest
            Depends on vulnerable versions of sw-precache-webpack-plugin
            Depends on vulnerable versions of webpack
            Depends on vulnerable versions of webpack-dev-server
            node_modules/react-scripts
        jest-runtime  12.1.1-alpha.2935e14d - 24.8.0
        Depends on vulnerable versions of babel-jest
        Depends on vulnerable versions of babel-plugin-istanbul
        Depends on vulnerable versions of jest-haste-map
        Depends on vulnerable versions of jest-util
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of yargs
        node_modules/jest-runtime

normalize-url  <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/normalize-url
  postcss-normalize-url  <=4.0.1
  Depends on vulnerable versions of normalize-url
  node_modules/postcss-normalize-url
    cssnano  <=3.10.0
    Depends on vulnerable versions of postcss-normalize-url
    Depends on vulnerable versions of postcss-svgo
    node_modules/cssnano
      css-loader  0.15.0 - 0.28.11
      Depends on vulnerable versions of cssnano
      node_modules/css-loader
        react-scripts  0.1.0 - 2.1.8
        Depends on vulnerable versions of babel-jest
        Depends on vulnerable versions of css-loader
        Depends on vulnerable versions of file-loader
        Depends on vulnerable versions of jest
        Depends on vulnerable versions of sw-precache-webpack-plugin
        Depends on vulnerable versions of webpack
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts

trim-newlines  <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow
    sw-precache  >=4.2.0
    Depends on vulnerable versions of meow
    node_modules/sw-precache
      sw-precache-webpack-plugin  >=0.8.0
      Depends on vulnerable versions of sw-precache
      node_modules/sw-precache-webpack-plugin
        react-scripts  0.1.0 - 2.1.8
        Depends on vulnerable versions of babel-jest
        Depends on vulnerable versions of css-loader
        Depends on vulnerable versions of file-loader
        Depends on vulnerable versions of jest
        Depends on vulnerable versions of sw-precache-webpack-plugin
        Depends on vulnerable versions of webpack
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts

webpack-dev-server  <=3.11.2
Severity: high
Missing Origin Validation - https://npmjs.com/advisories/725
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/webpack-dev-server
  react-scripts  0.1.0 - 2.1.8
  Depends on vulnerable versions of babel-jest
  Depends on vulnerable versions of css-loader
  Depends on vulnerable versions of file-loader
  Depends on vulnerable versions of jest
  Depends on vulnerable versions of sw-precache-webpack-plugin
  Depends on vulnerable versions of webpack
  Depends on vulnerable versions of webpack-dev-server
  node_modules/react-scripts

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/webpack-dev-server/node_modules/yargs-parser
node_modules/webpack/node_modules/yargs-parser
node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of os-locale
  Depends on vulnerable versions of yargs-parser
  node_modules/webpack-dev-server/node_modules/yargs
  node_modules/webpack/node_modules/yargs
  node_modules/yargs
    jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
    Depends on vulnerable versions of jest-haste-map
    Depends on vulnerable versions of jest-jasmine2
    Depends on vulnerable versions of jest-message-util
    Depends on vulnerable versions of jest-snapshot
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of yargs
    node_modules/jest-cli
      jest  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
      Depends on vulnerable versions of jest-cli
      node_modules/jest
        react-scripts  0.1.0 - 2.1.8
        Depends on vulnerable versions of babel-jest
        Depends on vulnerable versions of css-loader
        Depends on vulnerable versions of file-loader
        Depends on vulnerable versions of jest
        Depends on vulnerable versions of sw-precache-webpack-plugin
        Depends on vulnerable versions of webpack
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts
    jest-runtime  12.1.1-alpha.2935e14d - 24.8.0
    Depends on vulnerable versions of babel-jest
    Depends on vulnerable versions of babel-plugin-istanbul
    Depends on vulnerable versions of jest-haste-map
    Depends on vulnerable versions of jest-util
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of yargs
    node_modules/jest-runtime
    webpack  2.0.0-beta - 4.0.0-beta.3
    Depends on vulnerable versions of yargs
    node_modules/webpack
      babel-loader  7.0.0-alpha.1 - 7.1.2 || 8.0.0-beta.0 - 8.0.0-beta.6
      Depends on vulnerable versions of webpack
      node_modules/babel-loader
      extract-text-webpack-plugin  2.0.0-beta.0 - 3.0.2
      Depends on vulnerable versions of webpack
      node_modules/extract-text-webpack-plugin
      file-loader  1.1.1 - 1.1.9
      Depends on vulnerable versions of webpack
      node_modules/file-loader
      webpack-dev-server  <=3.11.2
      Depends on vulnerable versions of chokidar
      Depends on vulnerable versions of http-proxy-middleware
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of yargs
      node_modules/webpack-dev-server

你陷入了循环，因为react-scripts@1有一些脆弱的依赖项并且react-scripts@4具有不同的易受攻击的依赖项，因此您需要在它们之间来回切换。第一次跑步时npm audit fix --force，您更新为[email protected]，当您再次运行它时，它会将您降级为[email protected]删除 4.x 版本中易受攻击的依赖项。

截至撰写本文时，如果您运行npx create-react-app my-app，你得到react-scripts@4（以及关于 22 个漏洞的警告）所以也许可以运行npm audit fix --force要达到该状态，请运行测试以确保没有损坏，然后转到https://www.npmjs.com/package/react-scripts时不时地检查是否有版本会增加依赖项（和/或运行npm audit有时没有--force查看它是否自动更新）。

本文内容由网友自发贡献，版权归原作者所有，本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容，请联系:hwhale#tublm.com(使用前将#替换为@)

npm 审核修复 --force 永远无法避免漏洞的相关文章

将nodejs Express静态请求重定向到https

我需要将所有 http 请求重定向到 https 包括对静态文件的请求 My code app use express static dirname public app get function req res if req secure
× TypeError：无法读取未定义的属性（读取“map”）

当我尝试运行此代码时它给出了此错误 TypeError 无法读取未定义的属性读取 map 为什么会发生这种情况我怎样才能让它发挥作用 import React from react import Grid from material
使用 Sequelize (NodeJS) 代替 * 指定特定字段

好吧我在 NodeJS 中有一个项目我正在其中使用 Sequelize 来实现 MySQL ORM 这件事工作得非常好但是我试图弄清楚是否有一种方法可以指定在查询的基础上返回哪些字段或者是否有一种方法可以在某处执行 query 例如
如何使用 Passport /Facebook 策略/验证 Supertest 请求？

我使用 Passport js 进行身份验证 Facebook 策略并使用 Mocha 和 Supertest 进行测试如何使用 Supertest for Facebook 策略创建会话并发出经过身份验证的请求这是用户未登录时的示例
如何在react-router-dom@v6中使用私有路由

我想要将私有路由与react router dom v6一起使用当我尝试应用身份验证条件时在 App js 中
添加元数据到快速路线

有什么方法可以将元数据添加到 Express 的路线中吗例如 app get some route function req res some meta data 我正在寻找一种针对我的节点应用程序的 AOP 方法因此我想通过身份验证和
通过node.js的npm安装gulp会破坏windows

我想在我的 Windows 机器上使用 gulp 它实际上工作得很好除非我尝试使用创建的文件例如推送到 github 或删除然后它就崩溃了因为文件路径太长这似乎是一个相当常见的问题 https github com joyent
Google 跟踪代码管理器导致 SPA 中的整个页面重新加载 - React

当我在 React 的 GTM 中添加触发器时 a a or 元素它会导致单击时重新加载整个页面而不是仅重新渲染应用程序的一部分当我删除谷歌跟踪时一切都会顺利进行有没有办法如何配置 GTM 不影响应用程序的行为如果 Googl
如何使用 setState 插入 React 的状态数组？

我正在寻找在反应中修改和数组并在特定索引上插入元素这就是我的状态 this state arr 我想做的是编译这个arr index random element 反应 js setState 语法我试图做的是 this setStat
socket.io xhr 在连接缓慢时出现错误（3G 移动网络）

当我在 3G 移动网络互联网连接速度慢上测试我的真实聊天应用程序时 Socket io反复断开然后重新连接我已经记录了原因它说 xhr post error 这提高了 transport error 然后断开连接我可以知道什么意思
无法处理未捕获的类型错误：无法读取 createRouterReducer 处未定义的属性“位置”

我在将路由器连接到 rootReducer 时遇到问题控制台日志未捕获的类型错误无法读取未定义的属性位置在 createRouterReducer reducer js 005c 9 不知道如何修复它并将路由器连接到减速器 app
有没有办法在 React 中自动播放音频而不使用 onClick 事件？

我在尝试在 componentDidMount 中播放音频时收到此错误未捕获承诺中 DOMException play 失败因为用户没有先与文档交互 componentDidMount document getElementById
如何用 JavaScript 修复图像透视变形和旋转？

我有一些用手机拍摄的图像有没有可以拉直纸张照片并将其压平的 JavaScript 库例如我想创建一个矩形图像该图像没有任何失真换句话说我想知道如何用 JavaScript 修复透视变形和旋转例如我发现下面的示例图像来自this
在需要时初始化模块

我有一个模块里面有一些初始化代码加载模块时应执行 init 目前我正在这样做 in the module exports init function config do it in main var mod require myModu
我应该如何实现将状态保存到 localStorage？

CODE var React require react var Recipe require Recipe jsx var AddRecipe require AddRecipe jsx var EditRecipe require Ed
将项目中的node_modules集中到子项目中

是否可以以在中心点上拥有所需模块的方式配置 grunt 我有以下项目结构 Project subproject subproject subproject 我通过 grunt 构建项目的所有子项目并且我也可以为自己构建每个子项目目前我
让 Jest 全局设置和全局拆卸在 TypeScript 项目中工作

我想运行一个在运行测试之前打开数据库连接的函数全局设置以及另一个在运行测试后关闭数据库连接的函数全局拆卸目前我有以下配置包 json jest testEnvironment node globalSetup src jest g
使用 nockjs 和 jest 进行 Promise/异步单元测试的代码覆盖率问题

我使用 NockJS 和 Jest 为 React 应用程序编写了一个简单的 API 调用单元测试如下所示 AjaxService js export const AjaxService post url data headers gt
如何清除node.js中的超时

您好我们正在使用 node js socket io 和 redis 开发应用程序我们有这个程序 exports processRequest function request result var self this var time
‘state’未定义 no-undef

我使用教程来学习 React 但我很快就陷入困境在教程中他们使用以下代码 import React Component from react class Counter extends Component state count 0 r

随机推荐

C++中通过引用传递指针

我有一个函数将迭代器传递给 char 缓冲区这也是一个 char 该函数需要递增迭代器无论如何我发现将迭代器传递到函数中的一个好方法是通过引用传递指针 bool myFunction unsigned char iter 但是我听
将 CSV 文件转换为 Lua 中定义键的表

我正在学习 Lua 来构建飞行模拟器的脚本我有一个 CSV 文件如下所示 Poti city Poti red 295731 42857144 617222 85714285 Lanchhuti city Poti red 299217
使用Xcode和SDK构建胖静态库（设备+模拟器）4+

理论上我们似乎可以构建一个包含模拟器以及 iPhone 和 iPad 的静态库然而 Apple 没有我能找到的相关文档并且 Xcode 的默认模板也没有配置为执行此操作我正在寻找一种可以在 Xcode 内完成的简单可移植可重用的
是否可以在共享内存中存储多态类？

假设我有课Base and Derived public Base 我使用 boost interprocess 库构建了一个共享内存段是否可以有类似这样的代码 Base b new Derived write b one app wri
用于 Asp.net Mvc 的 Google Chart HtmlHelper

是否有任何 HtmlHelper 扩展谷歌图表API 我喜欢使用一些基本图表例如饼图条形图 Soe Moe 谷歌说你插入一个像这样的图表 img src alt Sample chart 所以编写一个像这样的 HtmlHelper 应该
在 Java 中，如何解析 xml 模式 (xsd) 以了解给定元素的有效内容？

我希望能够读取 XML 模式即 xsd 并在遍历它时从中知道什么是有效属性子元素和值例如假设我有一个 xsd 此 xml 将根据它进行验证
如何回滚 EmberData 中的关系更改

我有两种亲子关系模型训练和锻炼 App Training DS Model extend exercises DS hasMany App Exercise App Exercise DS Model extend training DS
将 WSSE SOAP 标头添加到 Web 参考

我正在尝试将 WSSE SOAP 标头添加到我的服务调用中但大多数示例都集中在 WCF 上我没有使用 WCF 我添加了 Web 参考 WSDL 我尝试了各种方法但没有成功例如覆盖 GetWebRequest 方法 protected
通过 Ajax 调用使用 Struts 2 的 HTTP 数组参数

我在将数组参数发送到 Struts 2 操作类时遇到问题我使用的是struts 2 1 8 1 这是一些示例代码 public class MyAction extends ActionSupport private String typ
C# ADAL AcquireTokenAsync() 不带弹出框

我们正在编写一个 WCF 服务该服务必须与 Dynamics CRM 2016 Online 集成我正在尝试使用 ADAL 进行身份验证使用方法AcquireTokenAsync 问题是它会显示一个弹出框提示用户输入凭据当然我
定期获取位置（坐标），而不会显着增加电池消耗

我正在开发一个 Android 应用程序该应用程序需要定期每 10 分钟向网络服务发送当前位置坐标但是我对更正确的方法对设备电池更友好感到有点困惑我读了这个answer和她的方法 getLocation 看起来不错但我不
在 OpenGL ES (iPhone) 中绘制到离屏渲染缓冲区

我正在尝试在 iPhone 上的 OpenGL ES 中创建离屏渲染缓冲区我创建了这样的缓冲区 glGenFramebuffersOES 1 offscreenFramebuffer glBindFramebufferOES GL FRA
如何让uipageviewcontroller转圈

我有一个显示不同页面的 UIPageViewController 当前的行为是当我到达最后一页时它停止滚动我现在想要实现的是当在最后一页并向右滚动时它会转到第一页在第一页时向左滚动即可转到最后一页所以基本上让 PageViewC
如何获取socket.io房间内的客户端数量？

我的socket io版本1 3 5 我想获得特定房间的客户数量这是我的代码 socket on create or join function numClients room socket join room 我使用此代码让客户进入房间
Python ValueError：无法解码 JSON 对象

我正在尝试读取 json 并获取它的值我有一个包含 JSON 档案的文件夹我需要打开所有档案并从中获取值这是代码 encoding utf 8 from pprint import pprint import json import
用于使用半正矢函数计算轴承的 CLLocation 类别

我正在尝试为 CLLocation 编写一个类别以将方位返回到另一个 CLLocation 我相信我的公式做错了微积分不是我的强项返回的轴承始终处于关闭状态我一直在研究这个问题并尝试应用被接受为正确答案的更改及其引用的网页计算两个
32 位和 64 位版本的 Windows 操作系统的页面大小是多少？

我想知道 Windows 操作系统 32 位和 64 位版本中虚拟内存的默认页面大小例如页面大小Linux x86 是4 Kb call GetSystemInfo或更好GetNativeSystemInfo并寻找dw页面大小成员SYS
T-SQL：如何从一个表中获取其值与另一表中的值完全匹配的行？

鉴于以下情况 declare a table pkid int value int declare b table otherID int value int insert into a values 1 1000 insert into
为什么“real”和“float”都映射为“Single”而不是“Double”？

我在模型优先模式 EDMX 下使用 System Data SQLite 1 0 90 与 VS2013 和 EntityFramework 5 我创建了一个新的 SQLite 数据库其中包含一个表 CREATE TABLE Test1i
npm 审核修复 --force 永远无法避免漏洞

我陷入了这样的境地要么有 22 个漏洞要么有 47 个漏洞我可以运行npm audit fix但我总是建议运行 force切换以便实际执行升级从那里我可以升级并获得 22 个漏洞然后执行 force再次获得 47 个漏洞这个循环

npm 审核修复 --force 永远无法避免漏洞

npm 审核修复 --force 永远无法避免漏洞 的相关文章

随机推荐

热门标签

npm 审核修复 --force 永远无法避免漏洞的相关文章