Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

"found 1 low severity vulnerability" warning while creating React App using "npx create-react-app" command.

See original GitHub issue

Describe the bug

While creating React-App using npx create-react-app command this warning comes:

found 1 low severity vulnerability
    run `npm audit fix` to fix them, or `npm audit` for details

Did you try recovering your dependencies?

Tried: npm install -g npm@latest

Which terms did you search for in User Guide?

(Write your answer here if relevant.)

Environment

current version of create-react-app: 3.4.1

System:

    OS: Windows 10 10.0.19041
    CPU: (8) x64 Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
Binaries:

    Node: 12.18.2 - C:\Program Files\nodejs\node.EXE
    Yarn: Not Found
    npm: 6.14.7 - C:\Program Files\nodejs\npm.CMD
Browsers:

    Edge: 44.19041.1.0
    Internet Explorer: 11.0.19041.1

npmPackages:

    react: ^16.13.1 => 16.13.1
    react-dom: ^16.13.1 => 16.13.1
    react-scripts: 3.4.1 => 3.4.1

npmGlobalPackages:

    create-react-app: Not Found

Steps to reproduce

When we run create-react-app this issue arises.

Expected behavior

To create a React App without any low severity vulnerability

Actual behavior

found 1 low severity vulnerability run npm audit fix to fix them, or npm audit for details

                === npm audit security report ===                        


                        Manual Review                                  
    Some vulnerabilities require your attention to resolve             
                                                                            
    Visit https://go.npm.me/audit-guide for additional guidance           
    Low             Prototype Pollution                                           

    Package         yargs-parser                                                  

    Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2              

    Path            react-scripts > webpack-dev-server > yargs > yargs-parser

    More info       https://npmjs.com/advisories/1500

    found 1 low severity vulnerability in 1641 scanned packages
    1 vulnerability requires manual review. See the full report for details.

Reproducible demo

npx create-react-app

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:9 (1 by maintainers)

Top GitHub Comments

5reactions

rikoecommented, Jul 31, 2020

The security vulnerability is from yargs-parser. This issue was previously reported here as #9033, which is now closed.

It seems we are expected to wait for version 4.0 for this issue to be resolved.

In my opinion, there should be a version 3.4.2 patch release that fixes the issue, since expecting people to upgrade to a new major version is not really a solution.

I am happy to do the necessary PR and related steps if someone can point me in the right direction…

3reactions

gaearoncommented, Aug 11, 2020

Please see my reply in https://github.com/facebook/create-react-app/issues/9033#issuecomment-671847777.

There was no actual vulnerability here but we released react-scripts@3.4.2 to address the warning.