在浏览器列表和glob-parent依赖中存在正则表达式拒绝服务漏洞。以下是npm审计安全报告的样式:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular Expression Denial of Service
Package browserslist
Patched in >=4.16.5
Dependency of react-scripts
Path react-scripts > react-dev-utils > browserslist
More info https://npmjs.com/advisories/1747
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of react-scripts
Path react-scripts > webpack > watchpack > watchpack-chokidar2 >
chokidar > glob-parent
More info https://npmjs.com/advisories/1751
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of react-scripts
Path react-scripts > webpack-dev-server > chokidar > glob-parent
More info https://npmjs.com/advisories/1751
found 3 moderate severity vulnerabilities in 2498 scanned packages
3 vulnerabilities require manual review. See the full report for details.这是依赖树:
1. devDependencies: react-scripts > react-dev-utils > browserslist
2. devDependencies: react-scripts > webpack > watchpack > watchpack-chokidar2 > chokidar > glob-parent
3. devDependencies: react-scripts > webpack-dev-server > chokidar > glob-parent该漏洞已在browserslist版本>= 4.16.5(react-scripts中的当前版本:4.14.2)中修复。
该漏洞已在glob-parent版本> 5.1.2(react-scripts中的当前版本:5.1.2)中修复。
此外,您是否可以告知我们计划在react-scripts版本中修复这些漏洞的预计时间?
3条答案
按热度按时间v1l68za41#
also
details here – webpack/webpack-dev-server#3801
dgiusagp2#
这个问题已经被自动标记为过时,因为它没有任何最近的活动。如果没有发生任何进一步的活动,它将在5天后被关闭。
dpiehjr43#
bad bot