Moderate vulnerabilities when running npx create-react-app
See original GitHub issueI get 20 moderate vulnerabilities when running npx create-react-app
. Running npm audit fix
does not fix it. Was wondering if this has been reported?
![Screenshot 2021-05-07 at 2 10 44 AM](https://user-images.githubusercontent.com/41635847/117345724-72144780-aed9-11eb-9266-5fc9f34de2d6.png)
![Screenshot 2021-05-07 at 2 11 13 AM](https://user-images.githubusercontent.com/41635847/117345772-835d5400-aed9-11eb-8a04-5faac8c7a658.png)
# npm audit report
hosted-git-info <3.0.8
Severity: moderate
Regular Expression Deinal of Service - https://npmjs.com/advisories/1677
fix available via `npm audit fix --force`
Will install react-scripts@1.0.10, which is a breaking change
node_modules/hosted-git-info
normalize-package-data 2.0.0 - 2.5.0
Depends on vulnerable versions of hosted-git-info
node_modules/normalize-package-data
read-pkg <=5.2.0
Depends on vulnerable versions of normalize-package-data
node_modules/@jest/core/node_modules/read-pkg
node_modules/@jest/reporters/node_modules/read-pkg
node_modules/jest-config/node_modules/read-pkg
node_modules/jest-resolve/node_modules/read-pkg
node_modules/jest-runner/node_modules/read-pkg
node_modules/jest-runtime/node_modules/read-pkg
node_modules/jest-snapshot/node_modules/read-pkg
node_modules/read-pkg
read-pkg-up <=7.0.1
Depends on vulnerable versions of read-pkg
node_modules/@jest/core/node_modules/read-pkg-up
node_modules/@jest/reporters/node_modules/read-pkg-up
node_modules/jest-config/node_modules/read-pkg-up
node_modules/jest-resolve/node_modules/read-pkg-up
node_modules/jest-runner/node_modules/read-pkg-up
node_modules/jest-runtime/node_modules/read-pkg-up
node_modules/jest-snapshot/node_modules/read-pkg-up
node_modules/read-pkg-up
eslint-plugin-import >=2.3.0
Depends on vulnerable versions of read-pkg-up
node_modules/eslint-plugin-import
eslint-config-react-app 2.0.0 - 3.0.0-next.fb6e6f70 || >=6.0.0-next.64
Depends on vulnerable versions of eslint-plugin-import
node_modules/eslint-config-react-app
react-scripts >=1.0.11
Depends on vulnerable versions of eslint-config-react-app
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of jest-resolve
node_modules/react-scripts
jest-resolve 25.4.0 - 26.4.0 || 26.5.2 - 26.6.2
Depends on vulnerable versions of read-pkg-up
node_modules/@jest/core/node_modules/jest-resolve
node_modules/@jest/reporters/node_modules/jest-resolve
node_modules/jest-config/node_modules/jest-resolve
node_modules/jest-resolve
node_modules/jest-runner/node_modules/jest-resolve
node_modules/jest-runtime/node_modules/jest-resolve
node_modules/jest-snapshot/node_modules/jest-resolve
@jest/core 25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
Depends on vulnerable versions of jest-resolve
node_modules/@jest/core
jest 25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
Depends on vulnerable versions of @jest/core
node_modules/jest
jest-cli 25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
Depends on vulnerable versions of @jest/core
node_modules/jest-cli
@jest/reporters 25.4.0 - 25.5.1 || 26.5.2 - 26.6.2
Depends on vulnerable versions of jest-resolve
node_modules/@jest/reporters
jest-config 25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
Depends on vulnerable versions of jest-resolve
node_modules/jest-config
jest-runner 25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
Depends on vulnerable versions of jest-resolve
node_modules/jest-runner
jest-circus 25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
Depends on vulnerable versions of jest-runner
Depends on vulnerable versions of jest-runtime
node_modules/jest-circus
jest-runtime 25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
Depends on vulnerable versions of jest-resolve
node_modules/jest-runtime
@jest/test-sequencer 25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
Depends on vulnerable versions of jest-runtime
node_modules/@jest/test-sequencer
jest-jasmine2 25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
Depends on vulnerable versions of jest-runtime
node_modules/jest-jasmine2
jest-snapshot 25.4.0 - 25.5.1 || 26.5.2 - 26.6.2
Depends on vulnerable versions of jest-resolve
node_modules/jest-snapshot
jest-resolve-dependencies 25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
Depends on vulnerable versions of jest-snapshot
node_modules/jest-resolve-dependencies
20 moderate severity vulnerabilities
Issue Analytics
- State:
- Created 2 years ago
- Reactions:48
- Comments:51 (1 by maintainers)
Top Results From Across the Web
Moderate severity vulnerabilities while running create react ...
While running npx create-react-app my-app, I am getting 10 moderate severity vulnerabilities. Not able to fix even after running npm audit ...
Read more >80 moderate severity vulnerabilities on create-react-app - Reddit
Create -React-app is a huge module. It is going to accumulate vulnerabilities all the time. I updated a React app from 2017 a...
Read more >6 high severity vulnerabilities to address all issues ... - You.com
27 vulnerabilities (16 moderate, 9 high, 2 critical) To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit`...
Read more >npm audit: Broken by Design - Overreacted
npx create -react-app myapp. Immediately upon creating a project, I see this: found 5 vulnerabilities (3 moderate, 2 high) run `npm audit ...
Read more >React Scripts 86 Vulnerabilities - ADocLib
Category: Npx create react app typescriptShow more Moderate Vulnerabilities When Running Npx Createreactapp. 7 hours ago Github.com Visit URL.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
When we run
yarn audit
, we get similar warnings abouthosted-git-info
, which needs to be upgraded to 3.0.8. This relates to an issue reported just today (May 6th, 2021).https://www.npmjs.com/advisories/1677
react-scripts
useshosted-git-info
as a dependency, so it will need to upgraded to the patched version.when the hell its gonna resolve any update regarding this?