Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Moderate vulnerabilities when running npx create-react-app

See original GitHub issue

I get 20 moderate vulnerabilities when running npx create-react-app. Running npm audit fix does not fix it. Was wondering if this has been reported?

Screenshot 2021-05-07 at 2 10 44 AM Screenshot 2021-05-07 at 2 11 13 AM 
# npm audit report

hosted-git-info  <3.0.8

Severity: moderate
Regular Expression Deinal of Service - https://npmjs.com/advisories/1677
fix available via `npm audit fix --force`
Will install react-scripts@1.0.10, which is a breaking change
node_modules/hosted-git-info
  normalize-package-data  2.0.0 - 2.5.0
  Depends on vulnerable versions of hosted-git-info
  node_modules/normalize-package-data
    read-pkg  <=5.2.0
    Depends on vulnerable versions of normalize-package-data
    node_modules/@jest/core/node_modules/read-pkg
    node_modules/@jest/reporters/node_modules/read-pkg
    node_modules/jest-config/node_modules/read-pkg
    node_modules/jest-resolve/node_modules/read-pkg
    node_modules/jest-runner/node_modules/read-pkg
    node_modules/jest-runtime/node_modules/read-pkg
    node_modules/jest-snapshot/node_modules/read-pkg
    node_modules/read-pkg
      read-pkg-up  <=7.0.1
      Depends on vulnerable versions of read-pkg
      node_modules/@jest/core/node_modules/read-pkg-up
      node_modules/@jest/reporters/node_modules/read-pkg-up
      node_modules/jest-config/node_modules/read-pkg-up
      node_modules/jest-resolve/node_modules/read-pkg-up
      node_modules/jest-runner/node_modules/read-pkg-up
      node_modules/jest-runtime/node_modules/read-pkg-up
      node_modules/jest-snapshot/node_modules/read-pkg-up
      node_modules/read-pkg-up
        eslint-plugin-import  >=2.3.0
        Depends on vulnerable versions of read-pkg-up
        node_modules/eslint-plugin-import
          eslint-config-react-app  2.0.0 - 3.0.0-next.fb6e6f70 || >=6.0.0-next.64
          Depends on vulnerable versions of eslint-plugin-import
          node_modules/eslint-config-react-app
            react-scripts  >=1.0.11
            Depends on vulnerable versions of eslint-config-react-app
            Depends on vulnerable versions of eslint-plugin-import
            Depends on vulnerable versions of jest-resolve
            node_modules/react-scripts
        jest-resolve  25.4.0 - 26.4.0 || 26.5.2 - 26.6.2
        Depends on vulnerable versions of read-pkg-up
        node_modules/@jest/core/node_modules/jest-resolve
        node_modules/@jest/reporters/node_modules/jest-resolve
        node_modules/jest-config/node_modules/jest-resolve
        node_modules/jest-resolve
        node_modules/jest-runner/node_modules/jest-resolve
        node_modules/jest-runtime/node_modules/jest-resolve
        node_modules/jest-snapshot/node_modules/jest-resolve
          @jest/core  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/@jest/core
            jest  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of @jest/core
            node_modules/jest
            jest-cli  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of @jest/core
            node_modules/jest-cli
          @jest/reporters  25.4.0 - 25.5.1 || 26.5.2 - 26.6.2
          Depends on vulnerable versions of jest-resolve
          node_modules/@jest/reporters
          jest-config  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-config
          jest-runner  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-runner
            jest-circus  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-runner
            Depends on vulnerable versions of jest-runtime
            node_modules/jest-circus
          jest-runtime  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-runtime
            @jest/test-sequencer  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-runtime
            node_modules/@jest/test-sequencer
            jest-jasmine2  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-runtime
            node_modules/jest-jasmine2
          jest-snapshot  25.4.0 - 25.5.1 || 26.5.2 - 26.6.2
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-snapshot
            jest-resolve-dependencies  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-snapshot
            node_modules/jest-resolve-dependencies

20 moderate severity vulnerabilities

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:48
  • Comments:51 (1 by maintainers)

github_iconTop GitHub Comments

11reactions
jdmanncommented, May 6, 2021

When we run yarn audit, we get similar warnings about hosted-git-info, which needs to be upgraded to 3.0.8. This relates to an issue reported just today (May 6th, 2021).

https://www.npmjs.com/advisories/1677

react-scripts uses hosted-git-info as a dependency, so it will need to upgraded to the patched version.

9reactions
DevHamzaacommented, Jun 14, 2021

when the hell its gonna resolve any update regarding this?

image

Read more comments on GitHub >

github_iconTop Results From Across the Web

Moderate severity vulnerabilities while running create react ...
While running npx create-react-app my-app, I am getting 10 moderate severity vulnerabilities. Not able to fix even after running npm audit ...
Read more >
80 moderate severity vulnerabilities on create-react-app - Reddit
Create -React-app is a huge module. It is going to accumulate vulnerabilities all the time. I updated a React app from 2017 a...
Read more >
6 high severity vulnerabilities to address all issues ... - You.com
27 vulnerabilities (16 moderate, 9 high, 2 critical) To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit`...
Read more >
npm audit: Broken by Design - Overreacted
npx create -react-app myapp. Immediately upon creating a project, I see this: found 5 vulnerabilities (3 moderate, 2 high) run `npm audit ...
Read more >
React Scripts 86 Vulnerabilities - ADocLib
Category: Npx create react app typescriptShow more Moderate Vulnerabilities When Running Npx Createreactapp. 7 hours ago Github.com Visit URL.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Adding TypeScript to existing project does not add tsconfig

Next page

globalThis is not defined