Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Rethink decision to make react-scripts a dependency instead of a devDependency
See original GitHub issueIs your proposal related to a problem?
The decision to make react-scripts a dependency causes a lot of issues regarding perceived security vulnerabilities. Even though the issues themselves are technically harmless, these issues often break CI/CD flows and/or end up being reported here as actual issues.
Describe the solution you’d like
The decision to make react-scripts a dependency was in my opinion ill-conceived. There are issues with having react-scrips a devDependency as stated in the original pull request:
- The distinction does not make sense. Nonetheless, tools like
npm auditare dependent on this distinction. - Apparently some people build on the production server? They shouldn’t.
- An actual run-time dependency in the form of a polyfill is included. This could be a separate (and optional?) dependency.
- Eject crashes in some situations (issue #2655)
- Possibly other issues…
In my opinion, a shortcut was taken to work around some problems that should have been fixed separately.
Describe alternatives you’ve considered
It’s possible to move react-scripts to devDependencies by hand, or to eject your React application. Both solve the problem (afaict) but a lot of people are not willing to do this or are unaware of the possibility.
Another possibility would be for the developers to update dependencies whenever a vulnerability pops up as fast as possible, and/or to help developers of dependent package to fix their dependencies. Maybe get Facebook to throw some money behind a React Vulnerability Strike Team ™ or something.
Additional context
One way or another a solution is needed. Every time some vulnerability pops up I see a lot of frustration in the comments. Even though someone always politely explains the actual security implications, there are always a few people saying (and probably more people thinking) that you don’t actually care that much about security. Rationally I know this not to be true, but I get frustrated as well sometimes (I’m only human after all).
Issue Analytics
- State:
- Created 2 years ago
- Reactions:39
- Comments:16 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
All of these issues are duplicates or are related: https://github.com/facebook/create-react-app/issues/11136 https://github.com/facebook/create-react-app/issues/11131 https://github.com/facebook/create-react-app/issues/11118 https://github.com/facebook/create-react-app/issues/11116 https://github.com/facebook/create-react-app/issues/11109 https://github.com/facebook/create-react-app/issues/11092 https://github.com/facebook/create-react-app/issues/11081 https://github.com/facebook/create-react-app/issues/11077 https://github.com/facebook/create-react-app/issues/11067 https://github.com/facebook/create-react-app/issues/11054
and could be solved by #11102
@rvramesh You’re correct. The vulnerabilities will only be ignored when you run
npm audit --production, which is usually the case when audit is integrated in your CI/CD setup. Without the option the output will show the vulnerability but with a[dev]tag.