【发布时间】:2019-11-22 15:29:48
【问题描述】:
我正在使用 react-js 启动一个全新的项目,在使用 npm 安装项目后,我遇到了高危漏洞,我该如何修复这些漏洞?它会引起任何问题吗?
当我运行命令 npm start 时,一切似乎都正常。
我尝试运行“npm audit fix”,但它显示:已修复 8646 个漏洞中的 0 个。
当我运行这个命令时:
npx create-react-app my-app
输出:
npx: installed 91 in 27.693s
Creating a new React app in E:\My project\ReactJS\Training\my-app.
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...
> core-js@2.6.9 postinstall E:\My project\ReactJS\Training\my-app\node_modules\babel-runtime\node_modules\core-js
> node scripts/postinstall || echo "ignore"
> core-js-pure@3.1.4 postinstall E:\My project\ReactJS\Training\my-app\node_modules\core-js-pure
> node scripts/postinstall || echo "ignore"
+ react-dom@16.8.6
+ react@16.8.6
+ react-scripts@3.0.1
added 1411 packages from 726 contributors and audited 902137 packages in 287.343s
found 8646 high severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
Initialized a git repository.
Success! Created my-app at E:\My project\ReactJS\Training\my-app
Inside that directory, you can run several commands:
npm start
Starts the development server.
npm run build
Bundles the app into static files for production.
npm test
Starts the test runner.
npm run eject
Removes this tool and copies build dependencies, configuration files
and scripts into the app directory. If you do this, you can’t go back!
We suggest that you begin by typing:
cd my-app
npm start
Happy hacking!
之后,我尝试运行:
npm audit fix
输出:
npm WARN @typescript-eslint/eslint-plugin@1.6.0 requires a peer of typescript@* but none
is installed. You must install peer dependencies yourself.
npm WARN @typescript-eslint/parser@1.6.0 requires a peer of typescript@* but none is installed. You must install peer dependencies yourself.
npm WARN @typescript-eslint/typescript-estree@1.6.0 requires a peer of typescript@* but none is installed. You must install peer dependencies yourself.
npm WARN ts-pnp@1.1.2 requires a peer of typescript@* but none is installed. You must install peer dependencies yourself.
npm WARN tsutils@3.14.0 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules\jest-haste-map\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.0.6 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.0.6: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
up to date in 10.513s
fixed 0 of 8646 vulnerabilities in 902137 scanned packages
8646 vulnerabilities required manual review and could not be updated
【问题讨论】:
标签: javascript reactjs npm