Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

12969 High Vulnerabilities

See original GitHub issue

Describe the bug

Running npx create-react-app dummyapp --typescript generates 12969 high severity vulnerabilities.

Have you done all these steps and still see the issue? yes

Npm version

6.4.1

Environment

npx create-react-app --info

npx: installed 91 in 13.567s                               
                                                           
Environment Info:                                          
                                                           
  System:                                                  
    OS: Windows 10                                         
    CPU: (8) x64 Intel(R) Xeon(R) CPU E5-1620 v4 @ 3.50GHz 
  Binaries:                                                
    Node: 10.15.0 - C:\Program Files\nodejs\node.EXE       
    Yarn: Not Found                                        
    npm: 6.4.1 - C:\Program Files\nodejs\npm.CMD           
  Browsers:                                                
    Edge: 41.16299.1004.0                                  
    Internet Explorer: 11.0.16299.371                      
  npmPackages:                                             
    react: ^16.8.6 => 16.8.6                               
    react-dom: ^16.8.6 => 16.8.6                           
    react-scripts: 3.0.1 => 3.0.1                          
  npmGlobalPackages:                                       
    create-react-app: Not Found

Steps to reproduce

  1. npx create-react-app dummyapp --typescript

Expected behavior

no vulnerabilities

Actual behavior

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...


> core-js@2.6.9 postinstall C:\Users\hloudin\source\tests\dummyappv2\node_modules\babel-runtime\node_modules\core-js
> node scripts/postinstall || echo "ignore"


> core-js-pure@3.1.4 postinstall C:\Users\hloudin\source\tests\dummyappv2\node_modules\core-js-pure
> node scripts/postinstall || echo "ignore"

+ @types/react@16.8.23
+ @types/react-dom@16.8.4
+ react-dom@16.8.6
+ @types/jest@24.0.15
+ react@16.8.6
+ react-scripts@3.0.1
+ @types/node@12.6.2
+ typescript@3.5.3
added 1418 packages from 765 contributors and audited 902148 packages in 101.201s
found 12969 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details
We detected TypeScript in your project (src\App.test.tsx) and created a tsconfig.json file for you.

Your tsconfig.json has been populated with default values.


Initialized a git repository.

Success! Created dummyappv2 at C:\Users\hloudin\source\tests\dummyappv2
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd dummyappv2
  npm start

Happy hacking!

Reproducible demo

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:2
  • Comments:11 (6 by maintainers)

github_iconTop GitHub Comments

2reactions
heyimalexcommented, Jul 12, 2019

There’s a “vulnerability” in set-value, and it’s apparently used everywhere. Hopefully https://github.com/jonschlinkert/set-value/issues/16 gets attention and we don’t need to worry about this. Maybe there are other things but I’m not sure.

1reaction
heyimalexcommented, Jul 12, 2019

I just got an email back from npm security for advisory 1012, they added 2.0.1 to remediated. I think we’re still dealing with 1013/mixin-deep, but I’ll check shortly.

Edit: Actually looks like we’re all clear!

Read more comments on GitHub >

github_iconTop Results From Across the Web

React-Router causing 12969 high severity vulnerabilities
Installing react-router and getting 12969 high severity vulnerabilities seems a little excessive, does anyone know what's going on?
Read more >
CVE-2017-12969 Detail - NVD
This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes...
Read more >
CVE-2017-12969 - Vulners
Description. Buffer overflow in the ViewerCtrlLib.ViewerCtrl ActiveX control in Avaya IP Office Contact Center before 10.1.1 allows remote attackers to ...
Read more >
CVE-2017-12969 - OpenCVE
Attack Vector NETWORK · Attack Complexity LOW · Privileges Required NONE · User Interaction REQUIRED · Confidentiality Impact HIGH · Integrity Impact HIGH...
Read more >
Avaya IP Office Contact Center ActiveX Control ViewerCtrlLib ...
The advisory is available at exploit-db.com. This vulnerability was named CVE-2017-12969 since 08/19/2017. The attack can be initiated remotely. No form of ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Several warnings for security problems

Next page

Cannot use `.eslintignore` for generated files