当我运行npm audit时,它会告诉我以下有关漏洞的信息:
react-dev-utils 0.4.0 - 12.0.0-next.60
Severity: critical
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of strip-ansi
fix available via `npm audit fix --force`
Will install @sambego/storybook-state@1.3.6, which is a breaking change
node_modules/@sambego/storybook-state/node_modules/react-dev-utils
node_modules/react-dev-utils
它说npm fix将安装
--> @sambego/storybook-state@1.3.6,
但在我的 package.json 中它说
--> "@sambego/storybook-state": "^2.0.1",
所以我的包比推荐的包要新得多。
我会接受任何告诉我是否以及为什么可以忽略这个关键的 npm 漏洞的答案。