更新时间:2023-09-11 21:31:16
你陷入了循环,因为 react-scripts@1
有一些易受攻击的依赖项和 react-scripts@4
具有不同的易受攻击的依赖项,因此您需要在它们之间来回切换.第一次运行 npm audit --fix
时,您更新为 react-scripts@4.x
,再次运行时,它会将您降级为 react-scripts@1.x
移除 4.x 版本中存在漏洞的依赖项.
You're in a loop because react-scripts@1
has some vulnerable dependencies and react-scripts@4
has different vulnerable dependencies, so you're bouncing back and forth between them. The first time you run npm audit --fix
, you update to react-scripts@4.x
, and when you run it again, it downgrades you to react-scripts@1.x
to remove the vulnerable dependencies in the 4.x version.
在撰写本文时,如果您运行 npx create-react-app my-app
,您会收到 react-scripts@4
(以及关于 22 个漏洞的警告)所以也许运行 npm audit --fix
以达到该状态,运行您的测试以确保没有损坏,然后转到 https://www.npmjs.com/package/react-scripts 不时检查是否有影响依赖关系的版本(和/或运行 npm audit
不时不带 --fix
以查看它是否自动更新.
As of this writing, if you run npx create-react-app my-app
, you get react-scripts@4
(and the warning about 22 vulnerabilities) so maybe run npm audit --fix
to get to that state, run your tests to make sure nothing broke, and go to https://www.npmjs.com/package/react-scripts from time to time to check for a release that bumps the dependencies (and/eor run npm audit
from time to time without the --fix
to see if it updates it automatically).