你陷入了循环，因为 react-scripts@1 有一些易受攻击的依赖项和 react-scripts@4 具有不同的易受攻击的依赖项，因此您需要在它们之间来回切换.第一次运行 npm audit --fix 时，您更新为 react-scripts@4.x，再次运行时，它会将您降级为 react-scripts@1.x 移除 4.x 版本中存在漏洞的依赖项.

You're in a loop because react-scripts@1 has some vulnerable dependencies and react-scripts@4 has different vulnerable dependencies, so you're bouncing back and forth between them. The first time you run npm audit --fix, you update to react-scripts@4.x, and when you run it again, it downgrades you to react-scripts@1.x to remove the vulnerable dependencies in the 4.x version.

在撰写本文时，如果您运行 npx create-react-app my-app，您会收到 react-scripts@4(以及关于 22 个漏洞的警告)所以也许运行 npm audit --fix 以达到该状态，运行您的测试以确保没有损坏，然后转到 https://www.npmjs.com/package/react-scripts 不时检查是否有影响依赖关系的版本(和/或运行 npm audit 不时不带 --fix 以查看它是否自动更新.

As of this writing, if you run npx create-react-app my-app, you get react-scripts@4 (and the warning about 22 vulnerabilities) so maybe run npm audit --fix to get to that state, run your tests to make sure nothing broke, and go to https://www.npmjs.com/package/react-scripts from time to time to check for a release that bumps the dependencies (and/eor run npm audit from time to time without the --fix to see if it updates it automatically).