发现 11 个低严重性漏洞 - React Native Project

Question

每当我使用react-native init <projname> 创建一个新的 React Native 项目，然后尝试安装我的项目所需的任何 NPM 包时，我总是会遇到这个错误 -

发现 11 个低严重性漏洞

我应该如何解决这个错误？

我已经尝试过npm audit fix。但它说应该手动解决错误。

$ npm install react-native-elements --save
npm WARN rm not removing C:\Users\jjeff\Documents\React Native\testOne\node_modules\.bin\sane.cmd as it wasn't installed by C:\Users\jjeff\Documents\React Native\testOne\node_modules\sane
npm WARN rm not removing C:\Users\jjeff\Documents\React Native\testOne\node_modules\.bin\sane as it wasn't installed by C:\Users\jjeff\Documents\React Native\testOne\node_modules\sane
npm WARN rm not removing C:\Users\jjeff\Documents\React Native\testOne\node_modules\.bin\jest.cmd as it wasn't installed by C:\Users\jjeff\Documents\React Native\testOne\node_modules\jest-cli
npm WARN rm not removing C:\Users\jjeff\Documents\React Native\testOne\node_modules\.bin\jest as it wasn't installed by C:\Users\jjeff\Documents\React Native\testOne\node_modules\jest-cli
npm WARN rm not removing C:\Users\jjeff\Documents\React Native\testOne\node_modules\.bin\esvalidate.cmd as it wasn't installed by C:\Users\jjeff\Documents\React Native\testOne\node_modules\esprima
npm WARN rm not removing C:\Users\jjeff\Documents\React Native\testOne\node_modules\.bin\esparse.cmd as it wasn't installed by C:\Users\jjeff\Documents\React Native\testOne\node_modules\esprima
npm WARN rm not removing C:\Users\jjeff\Documents\React Native\testOne\node_modules\.bin\esvalidate as it wasn't installed by C:\Users\jjeff\Documents\React Native\testOne\node_modules\esprima
npm WARN rm not removing C:\Users\jjeff\Documents\React Native\testOne\node_modules\.bin\esparse as it wasn't installed by C:\Users\jjeff\Documents\React Native\testOne\node_modules\esprima

> react-native-elements@1.1.0 postinstall C:\Users\jjeff\Documents\React Native\testOne\node_modules\react-native-elements
> opencollective-postinstall

Thank you for using react-native-elements!
If you rely on this package, please consider supporting our open collective:
> https://opencollective.com/react-native-elements/donate

npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN react-native-elements@1.1.0 requires a peer of react-native-vector-icons@>6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.7 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.7: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

+ react-native-elements@1.1.0
added 54 packages from 33 contributors, removed 34 packages, updated 918 packages and audited 515931 packages in 112.858s
found 11 low severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

Answer 1

您可以运行npm audit 来查看这些漏洞的详细信息，通常它们属于您为项目安装的依赖项/包。这意味着除非有您尚未为特定软件包申请的最新更新，否则您无能为力。

在你的情况下，它是低严重性漏洞，所以我不会太担心它们，如果你愿意，只需使用 npm audit 看看是否有你特别担心的漏洞，如果有，请解决它们包开发人员，考虑替代方案，或分叉项目并自己修复漏洞作为最后的手段。但同样，我不会太担心这一点，因为它们只是低严重性漏洞。

Answer 2

您可以尝试项目中使用的最新版本的软件包。
你可以试试下面的命令。

npm install pkg-name

或

npm install pkg-name@^version

其中pkg-name 是包名，版本是package version。

安装最新版本后可以试试

npm audit fix

希望它有效。！

Answer 3

所以，问题自动解决了。主要问题是由于漏洞，该项目将无法运行。但是大约一个月后，我开始使用 Yarn 安装依赖项，所以我没有看到漏洞。现在这个问题已经解决了。