Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

96 vulnerabilities after running npx create-react-app my-app command

See original GitHub issue

node version 16.3.0
nom version 7.15.1

While executing the command npx create-react-app my-app, I am getting

96 vulnerabilities (85 moderate, 11 high)

Please check.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...


added 1922 packages, and audited 1923 packages in 60s

145 packages are looking for funding
  run `npm fund` for details

96 vulnerabilities (85 moderate, 11 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

Initialized a git repository.

Installing template dependencies using npm...

added 32 packages, and audited 1955 packages in 9s

145 packages are looking for funding
  run `npm fund` for details

96 vulnerabilities (85 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
Removing template package using npm...


removed 1 package, and audited 1954 packages in 7s

145 packages are looking for funding
  run `npm fund` for details

96 vulnerabilities (85 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Created git commit.

Success! Created my-app at /Users/bikashagrawal/react-projects/my-app
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd my-app
  npm start

Happy hacking!

I tried to run npm audit fix and npm audit fix --force, but it didn’t help.

Issue Analytics

State:
Created 2 years ago
Reactions:35
Comments:30 (3 by maintainers)

Top GitHub Comments

6reactions

arobert93commented, Jun 15, 2021

This is extremely important to be fixed as soon as possible.

6reactions

mrwensveencommented, Jun 15, 2021

A lot of this has to do with the fact that react-scripts is added as a dependency in stead of a devDependency. Technically, the vulnerabilities will not be deployed unless they are also dependencies of your package or another dependency that will get deployed.

I have proposed here that react-scripts should be a devDependency again so we don’t have to ignore a bunch of vulnerabilities every few weeks.

Edit: fixed link