"found 1 low severity vulnerability" warning while creating React App using "npx create-react-app" command.
See original GitHub issueDescribe the bug
While creating React-App using npx create-react-app command this warning comes:
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Did you try recovering your dependencies?
Tried: npm install -g npm@latest
Which terms did you search for in User Guide?
(Write your answer here if relevant.)
Environment
current version of create-react-app: 3.4.1
System:
OS: Windows 10 10.0.19041
CPU: (8) x64 Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
Binaries:
Node: 12.18.2 - C:\Program Files\nodejs\node.EXE
Yarn: Not Found
npm: 6.14.7 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: 44.19041.1.0
Internet Explorer: 11.0.19041.1
npmPackages:
react: ^16.13.1 => 16.13.1
react-dom: ^16.13.1 => 16.13.1
react-scripts: 3.4.1 => 3.4.1
npmGlobalPackages:
create-react-app: Not Found
Steps to reproduce
- When we run create-react-app this issue arises.
Expected behavior
To create a React App without any low severity vulnerability
Actual behavior
found 1 low severity vulnerability
run npm audit fix
to fix them, or npm audit
for details
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Path react-scripts > webpack-dev-server > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
found 1 low severity vulnerability in 1641 scanned packages
1 vulnerability requires manual review. See the full report for details.
Reproducible demo
npx create-react-app
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:9 (1 by maintainers)
Top Results From Across the Web
Why am I getting 6 high severity vulnerabilities on using create ...
Create React App was created by Dan Abramov. He's written an excellent article about the issues with npm audit in create-react-app.
Read more >create-react-app > tar-pack > tar@2.2.2: this version of tar is ...
When I type npm audit it outputs that 0 vulnerabilities were found. Thanks in ... I am getting this error when I type...
Read more >create-react-app vulnerability warning (NPM Audit warning)
Hi everyone! I have a problem about create-react-app . When i try to create new React.js project i use this command - npx...
Read more >Better ways to Create React App - DEV Community
If you've tried React, chances are you've used create-react-app at least once. ... and audited 8 packages in 828ms # found 0 vulnerabilities....
Read more >Fixing security vulnerabilities in npm dependencies in less ...
When I saw it, I had no clue either but with some research I could fix this. Problem: github security vulernability bot alert....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The security vulnerability is from
yargs-parser
. This issue was previously reported here as #9033, which is now closed.It seems we are expected to wait for version 4.0 for this issue to be resolved.
In my opinion, there should be a version 3.4.2 patch release that fixes the issue, since expecting people to upgrade to a new major version is not really a solution.
I am happy to do the necessary PR and related steps if someone can point me in the right direction…
Please see my reply in https://github.com/facebook/create-react-app/issues/9033#issuecomment-671847777.
There was no actual vulnerability here but we released
react-scripts@3.4.2
to address the warning.