Help, `npm audit` says I have a vulnerability in react-scripts!
See original GitHub issuenpm audit
is broken for front-end tooling by design
Bad news, but it’s true. See here for a longer explanation.
If you think you found a real vulnerability in react-scripts
If you know that it affects CRA users because you understand what the vulnerability is, report it here as soon as possible.
If you’re not sure but your CI is failing or you’re worried about what npm audit
tells you, keep reading.
Do not file new issues based on npm audit
if you don’t 100% understand the problem.
They will be closed (see why below). If you really need to discuss it, reply in this thread instead.
npm audit
says there’s a warning about vulnerabilities in my project
Open package.json
. You will find this:
"dependencies": {
"react": "^17.0.2",
"react-dom": "^17.0.2",
"react-scripts": "4.0.3"
}
Take react-scripts
and move it to devDependencies
(if you don’t have it, create it):
"dependencies": {
"react": "^17.0.2",
"react-dom": "^17.0.2"
},
"devDependencies": {
"react-scripts": "4.0.3"
},
Then, ensure you run npm audit --production
rather than npm audit.
This will fix your warnings.
But isn’t this just ignoring the problem?
No.
Create React App is a build tool. In other words, it doesn’t produce a running Node application. It runs at the build time during development, and produces static assets.
However, npm audit
is designed for Node apps so it flags issues that can occur when you run actual Node code in production. That is categorically not how Create React App works.
This means that the overwhelming amount of “vulnerability” reports we receive for transitive dependencies are false positives. Despite literally a hundred issues with thousands of comments about npm audit
warnings in react-scripts
, throughout the years not a single one of them (to the best of our knowledge) has ever been a real vulnerability for CRA users.
This is a huge waste of everyone’s time. Mostly of yours, but of ours too.
But I still see these warnings when creating a new project or running npm install
Yes, unfortunately that’s how npm
works since v6. You can bring it up with npm. If enough people complain, maybe they’ll rethink this decision. It is unfortunately actively hostile to build tooling.
Note that you can run npm install --no-audit
to suppress them.
I know the transitive dependency has a fix, how can I try it?
If you already know that some-library@x.y.z
has the fix that you need, but react-scripts
hasn’t yet updated to it, you can try your luck using that version forcefully. With Yarn, you can do it using resolutions. With npm, you might need to wait for overrides or npm audit fix overrides integration to land first (it’s not implemented yet). You can also try npm-force-resolutions.
But can’t a build tool have vulnerabilities, too?
Yes, in principle.
The few times there was an actual vulnerability, it was reported separately, and we released patches as soon as it was possible. You can always report real vulnerabilities here, but please do this if you understand the difference between a real vulnerability and a false positive. For example, a “Regex DDOS attack” can never be a real vulnerability for a development-time tool. If you’re not sure, you’re welcome to ask in this thread, but please keep it brief and to the point so that the thread doesn’t become unreadable.
Really, the worst problem is that when there is a real attack poisoning the build toolchain, we won’t know about it because it will be buried underneath the 99.9% of false positives.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:744
- Comments:80 (12 by maintainers)
Top GitHub Comments
Can’t blame people for being concerned, big red ‘96 high risk vulnuerabilities’ is sure to get everyone’s attention. Thanks for the update though.
@bcagarwal I empathize with this but I really don’t know what we should be doing here. I feel out of my depth. npm added these warnings without consulting or working with the build tool ecosystem, and now an untold number of person-years is being spent chasing this security theater. I am beyond frustrated by this, as I imagine you are, but I don’t know who and how can solve this.