Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vulnerabilities found after using npx create-react-app

See original GitHub issue

npm audit report

browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service - https://npmjs.com/advisories/1747 fix available via npm audit fix --force Will install react-scripts@1.1.5, which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils >=6.0.0-next.03604a46 Depends on vulnerable versions of browserslist node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts

css-what <5.0.1 Severity: high Denial of Service - https://npmjs.com/advisories/1754 fix available via npm audit fix --force Will install react-scripts@1.1.5, which is a breaking change node_modules/svgo/node_modules/css-what css-select <=3.1.2 Depends on vulnerable versions of css-what node_modules/svgo/node_modules/css-select svgo >=1.0.0 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo * Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack >=4.0.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-svgo >=4.0.0-nightly.2020.1.9 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin

glob-parent <5.1.2 Severity: moderate Regular expression denial of service - https://npmjs.com/advisories/1751 fix available via npm audit fix --force Will install react-scripts@1.1.5, which is a breaking change node_modules/watchpack-chokidar2/node_modules/glob-parent node_modules/webpack-dev-server/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 3.11.2 Depends on vulnerable versions of chokidar node_modules/webpack-dev-server @pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4 Depends on vulnerable versions of webpack-dev-server node_modules/@pmmmwh/react-refresh-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts

normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/1755 fix available via npm audit fix --force Will install react-scripts@1.1.5, which is a breaking change node_modules/normalize-url node_modules/postcss-normalize-url/node_modules/normalize-url mini-css-extract-plugin 0.6.0 - 1.0.0 Depends on vulnerable versions of normalize-url node_modules/mini-css-extract-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-normalize-url <=4.0.1 Depends on vulnerable versions of normalize-url node_modules/postcss-normalize-url cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin

22 vulnerabilities (9 moderate, 13 high)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:8
  • Comments:21 (2 by maintainers)

github_iconTop GitHub Comments

5reactions
rhalalycommented, Jun 28, 2021

These vulnerabilities have been around for a long time. Is there any plan to fix them??

3reactions
csolisrcommented, Jun 28, 2021

I manually upgraded all the dependencies in the package.json to latest, and it’s still reporting 22 vulnerabilities (9 moderate, 13 high). I suspect the react-scripts package is at fault, depending on several outdated packages - are there any plans to upgrade them upstream to more modern versions? Not even npm audit fix --force is working on my side.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Help, `npm audit` says I have a vulnerability in react-scripts!
npm audit is broken for front-end tooling by design. Bad news, but it's true. See here for a longer explanation.
Read more >
Vulnerabilities with create-react-app React Js - Stack Overflow
Vulnerabilities with create-react-app React Js ; 96 vulnerabilities found - Packages ; audited: 1682 ; Severity: 65 ; Moderate | 30 ; High...
Read more >
80 moderate severity vulnerabilities on create-react-app - Reddit
Create -React-app is a huge module. It is going to accumulate vulnerabilities all the time. I updated a React app from 2017 a...
Read more >
create-react-app - npm Package Health Analysis - Snyk
While scanning the latest version of create-react-app, we found that a security review is needed. A total of 6 vulnerabilities or license issues...
Read more >
Better ways to Create React App - DEV Community ‍ ‍
npx create -react-app my-app. And observe the following console output: Installing packages. This might take a couple of minutes.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Help, `npm audit` says I have a vulnerability in react-scripts!

Next page

Rethink decision to make react-scripts a dependency instead of a devDependency