Question

我正在使用react-js启动一个全新的项目，并使用npm安装该项目之后，我得到了严重程度很高的漏洞，如何解决这些漏洞？会引起什么问题吗？当我运行命令npm start时，一切似乎都正常。

我尝试运行“ npm审核修复程序”，但它说：修复了8646个漏洞中的0个。

运行此命令时：

npx create-react-app my-app

输出：

npx: installed 91 in 27.693s

Creating a new React app in E:\My project\ReactJS\Training\my-app.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...


> core-js@2.6.9 postinstall E:\My project\ReactJS\Training\my-app\node_modules\babel-runtime\node_modules\core-js
> node scripts/postinstall || echo "ignore"


> core-js-pure@3.1.4 postinstall E:\My project\ReactJS\Training\my-app\node_modules\core-js-pure
> node scripts/postinstall || echo "ignore"

+ react-dom@16.8.6
+ react@16.8.6
+ react-scripts@3.0.1
added 1411 packages from 726 contributors and audited 902137 packages in 287.343s
found 8646 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

Initialized a git repository.

Success! Created my-app at E:\My project\ReactJS\Training\my-app
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd my-app
  npm start

Happy hacking!

之后，我尝试运行此代码：

npm audit fix

输出：

npm WARN @typescript-eslint/eslint-plugin@1.6.0 requires a peer of typescript@* but none
is installed. You must install peer dependencies yourself.
npm WARN @typescript-eslint/parser@1.6.0 requires a peer of typescript@* but none is installed. You must install peer dependencies yourself.
npm WARN @typescript-eslint/typescript-estree@1.6.0 requires a peer of typescript@* but none is installed. You must install peer dependencies yourself.
npm WARN ts-pnp@1.1.2 requires a peer of typescript@* but none is installed. You must install peer dependencies yourself.
npm WARN tsutils@3.14.0 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules\jest-haste-map\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.0.6 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.0.6: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

up to date in 10.513s
fixed 0 of 8646 vulnerabilities in 902137 scanned packages
  8646 vulnerabilities required manual review and could not be updated

Answer 1

我相信根据gaearon

不必担心。

“在Create React App的上下文中，这不是真正的“漏洞”，因为它会生成静态捆绑包。因此，它不可能以任何方式影响您。

不幸的是，误报。”

编辑：对我来说，目前有0个漏洞

设置reactjs项目后存在严重性高的漏洞

1 个答案: