Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
hello-world doesn't run; I get ERR_OSSL_EVP_UNSUPPORTED instead
See original GitHub issueIt’s been a while since I’ve worked with React, so I bought this book and am following Chapter 1 on my Linux machine. I’m running Mint 20, and used nvm 0.39.0 to install node v17.0.1.
I’m not sure I’ve really felt ‘JavaScript fatigue’, but starting new React projects has been a gauntlet in the past, so I was excited when I read about create-react-app. It hasn’t worked out for me, though, and I haven’t found any more info about this hello-world app. Can you tell me what’s wrong, or where to go for help?
$ create-react-app hello-world --template typescript
Creating a new React app in /home/mscheper/git/r17dpabp/hello-world.
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template-typescript...
added 1890 packages, and audited 1891 packages in 21s
152 packages are looking for funding
run `npm fund` for details
58 vulnerabilities (16 moderate, 40 high, 2 critical)
To address all issues, run:
npm audit fix
Run `npm audit` for details.
Initialized a git repository.
Installing template dependencies using npm...
added 49 packages, changed 1 package, and audited 1940 packages in 4s
153 packages are looking for funding
run `npm fund` for details
58 vulnerabilities (16 moderate, 40 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
We detected TypeScript in your project (src/App.test.tsx) and created a tsconfig.json file for you.
Your tsconfig.json has been populated with default values.
Removing template package using npm...
removed 1 package, and audited 1939 packages in 5s
153 packages are looking for funding
run `npm fund` for details
58 vulnerabilities (16 moderate, 40 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
Created git commit.
Success! Created hello-world at /home/mscheper/git/r17dpabp/hello-world
Inside that directory, you can run several commands:
npm start
Starts the development server.
npm run build
Bundles the app into static files for production.
npm test
Starts the test runner.
npm run eject
Removes this tool and copies build dependencies, configuration files
and scripts into the app directory. If you do this, you can’t go back!
We suggest that you begin by typing:
cd hello-world
npm start
Happy hacking!
58 vulnerabilities sounds pretty bad. Sure enough, when I did cd hello-world and npm start, after some stuff flashed in my terminal and my scroll buffer got cleared, 😒 I got this:
Starting the development server...
/home/mscheper/git/r17dpabp/hello-world/node_modules/react-scripts/scripts/start.js:19
throw err;
^
Error: error:0308010C:digital envelope routines::unsupported
at new Hash (node:internal/crypto/hash:67:19)
at Object.createHash (node:crypto:130:10)
at module.exports (/home/mscheper/git/r17dpabp/hello-world/node_modules/webpack/lib/util/createHash.js:135:53)
at NormalModule._initBuildHash (/home/mscheper/git/r17dpabp/hello-world/node_modules/webpack/lib/NormalModule.js:417:16)
at /home/mscheper/git/r17dpabp/hello-world/node_modules/webpack/lib/NormalModule.js:452:10
at /home/mscheper/git/r17dpabp/hello-world/node_modules/webpack/lib/NormalModule.js:323:13
at /home/mscheper/git/r17dpabp/hello-world/node_modules/loader-runner/lib/LoaderRunner.js:367:11
at /home/mscheper/git/r17dpabp/hello-world/node_modules/loader-runner/lib/LoaderRunner.js:233:18
at context.callback (/home/mscheper/git/r17dpabp/hello-world/node_modules/loader-runner/lib/LoaderRunner.js:111:13)
at /home/mscheper/git/r17dpabp/hello-world/node_modules/babel-loader/lib/index.js:59:103 {
opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
}
Node.js v17.0.1
I tried websearching for this error, and looked for a repo for the hello-world app, but didn’t find anything that looked helpful.
Then I tried:
$npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating react-scripts to 3.4.4,which is a SemVer major change.
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-scripts@3.4.4
npm WARN Found: typescript@4.4.4
npm WARN node_modules/typescript
npm WARN typescript@"^4.4.4" from the root project
npm WARN
npm WARN Could not resolve dependency:
npm WARN peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm WARN node_modules/react-scripts
npm WARN react-scripts@"3.4.4" from the root project
npm WARN
npm WARN Conflicting peer dependency: typescript@3.9.10
npm WARN node_modules/typescript
npm WARN peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm WARN node_modules/react-scripts
npm WARN react-scripts@"3.4.4" from the root project
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()
npm WARN deprecated eslint-loader@3.0.3: This loader has been deprecated. Please use eslint-webpack-plugin
npm WARN deprecated html-webpack-plugin@4.0.0-beta.11: please switch to a stable version
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
added 388 packages, removed 459 packages, changed 239 packages, and audited 1869 packages in 23s
99 packages are looking for funding
run `npm fund` for details
# npm audit report
ansi-html *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/ansi-html
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
react-scripts >=0.8.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-config-react-app
Depends on vulnerable versions of eslint-loader
Depends on vulnerable versions of jest-environment-jsdom-fourteen
Depends on vulnerable versions of jest-watch-typeahead
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/jest-config/node_modules/ansi-regex
node_modules/jest-each/node_modules/ansi-regex
node_modules/jest-jasmine2/node_modules/ansi-regex
node_modules/jest-leak-detector/node_modules/ansi-regex
node_modules/jest-matcher-utils/node_modules/ansi-regex
node_modules/jest-snapshot/node_modules/ansi-regex
node_modules/jest-validate/node_modules/ansi-regex
node_modules/react-dev-utils/node_modules/inquirer/node_modules/ansi-regex
node_modules/string-length/node_modules/ansi-regex
node_modules/strip-ansi/node_modules/ansi-regex
pretty-format 20.1.0-alpha.1 - 25.0.0
Depends on vulnerable versions of ansi-regex
node_modules/jest-config/node_modules/pretty-format
node_modules/jest-each/node_modules/pretty-format
node_modules/jest-jasmine2/node_modules/pretty-format
node_modules/jest-leak-detector/node_modules/pretty-format
node_modules/jest-matcher-utils/node_modules/pretty-format
node_modules/jest-snapshot/node_modules/pretty-format
node_modules/jest-validate/node_modules/pretty-format
jest-config 20.1.0-alpha.1 - 24.9.0
Depends on vulnerable versions of @jest/test-sequencer
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of pretty-format
node_modules/jest-config
@jest/core <=25.5.4
Depends on vulnerable versions of @jest/reporters
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of strip-ansi
node_modules/@jest/core
jest-cli 20.1.0-alpha.1 - 25.0.0
Depends on vulnerable versions of @jest/core
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-validate
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-runner 21.0.0-alpha.1 - 24.9.0
Depends on vulnerable versions of @jest/environment
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-leak-detector
node_modules/jest-runner
@jest/test-sequencer <=24.9.0
Depends on vulnerable versions of jest-runner
node_modules/@jest/test-sequencer
jest-runtime 20.1.0-alpha.1 - 25.0.0
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-validate
Depends on vulnerable versions of yargs
node_modules/jest-runtime
@jest/reporters <=26.4.0
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of string-length
node_modules/@jest/reporters
jest-jasmine2 20.1.0-alpha.1 - 24.9.0
Depends on vulnerable versions of jest-each
Depends on vulnerable versions of jest-matcher-utils
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of pretty-format
node_modules/jest-jasmine2
jest-diff 20.1.0-alpha.1 - 24.9.0
Depends on vulnerable versions of pretty-format
node_modules/jest-matcher-utils/node_modules/jest-diff
node_modules/jest-snapshot/node_modules/jest-diff
jest-matcher-utils 20.1.0-alpha.1 - 24.9.0
Depends on vulnerable versions of jest-diff
Depends on vulnerable versions of pretty-format
node_modules/jest-matcher-utils
expect 21.0.0-beta.1 - 24.9.0
Depends on vulnerable versions of jest-matcher-utils
Depends on vulnerable versions of jest-message-util
node_modules/expect
jest-snapshot 20.1.0-alpha.1 - 24.9.0
Depends on vulnerable versions of expect
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of pretty-format
node_modules/jest-snapshot
jest-resolve-dependencies 23.0.0-alpha.5 - 24.9.0
Depends on vulnerable versions of jest-snapshot
node_modules/jest-resolve-dependencies
jest-each 23.0.1 - 24.9.0
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of pretty-format
node_modules/jest-each
jest-leak-detector 21.3.0-beta.9 - 24.9.0
Depends on vulnerable versions of pretty-format
node_modules/jest-leak-detector
jest-validate 20.1.0-alpha.1 - 24.9.0
Depends on vulnerable versions of pretty-format
node_modules/jest-validate
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/react-dev-utils/node_modules/inquirer/node_modules/strip-ansi
node_modules/string-length/node_modules/strip-ansi
node_modules/strip-ansi
cliui 4.0.0 - 5.0.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of wrap-ansi
node_modules/cliui
yargs 10.1.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of string-width
node_modules/yargs
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
react-scripts >=0.8.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-config-react-app
Depends on vulnerable versions of eslint-loader
Depends on vulnerable versions of jest-environment-jsdom-fourteen
Depends on vulnerable versions of jest-watch-typeahead
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
eslint 4.5.0 - 7.15.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of table
node_modules/eslint
@typescript-eslint/eslint-plugin <=3.0.0-alpha.27
Depends on vulnerable versions of @typescript-eslint/parser
Depends on vulnerable versions of eslint
node_modules/@typescript-eslint/eslint-plugin
eslint-config-react-app 3.0.0-next.03604a46 - 5.2.1
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of @typescript-eslint/parser
Depends on vulnerable versions of eslint
node_modules/eslint-config-react-app
@typescript-eslint/parser 1.1.1-alpha.0 - 2.34.1-alpha.2
Depends on vulnerable versions of eslint
node_modules/@typescript-eslint/parser
eslint-loader 3.0.0 - 3.0.4
Depends on vulnerable versions of eslint
node_modules/eslint-loader
inquirer 3.2.0 - 7.0.4
Depends on vulnerable versions of strip-ansi
node_modules/react-dev-utils/node_modules/inquirer
react-dev-utils 0.4.0 - 12.0.0-next.37
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
node_modules/react-dev-utils
jest-watch-typeahead <=0.5.0
Depends on vulnerable versions of jest-watcher
Depends on vulnerable versions of string-length
Depends on vulnerable versions of strip-ansi
node_modules/jest-watch-typeahead
string-length 2.0.0 - 3.1.0
Depends on vulnerable versions of strip-ansi
node_modules/jest-watch-typeahead/node_modules/string-length
node_modules/string-length
jest-watcher <=26.0.0-alpha.2
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of string-length
node_modules/jest-watcher
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/cliui/node_modules/string-width
node_modules/table/node_modules/string-width
node_modules/wrap-ansi/node_modules/string-width
node_modules/yargs/node_modules/string-width
table 4.0.2 - 5.4.6
Depends on vulnerable versions of string-width
node_modules/table
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/wrap-ansi
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils 0.4.0 - 12.0.0-next.37
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
node_modules/react-dev-utils
react-scripts >=0.8.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-config-react-app
Depends on vulnerable versions of eslint-loader
Depends on vulnerable versions of jest-environment-jsdom-fourteen
Depends on vulnerable versions of jest-watch-typeahead
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/fast-glob/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of braces
Depends on vulnerable versions of glob-parent
Depends on vulnerable versions of readdirp
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.0.0-alpha.0 - 5.0.0-rc.6
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of watchpack
node_modules/react-scripts/node_modules/webpack
node_modules/react-scripts/node_modules/webpack/node_modules/webpack
node_modules/webpack
react-scripts >=0.8.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-config-react-app
Depends on vulnerable versions of eslint-loader
Depends on vulnerable versions of jest-environment-jsdom-fourteen
Depends on vulnerable versions of jest-watch-typeahead
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
Depends on vulnerable versions of micromatch
node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/globby
react-dev-utils 0.4.0 - 12.0.0-next.37
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
node_modules/react-dev-utils
immer <=9.0.5
Severity: critical
Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h
Prototype Pollution in immer - https://github.com/advisories/GHSA-9qmh-276g-x5pj
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/immer
react-dev-utils 0.4.0 - 12.0.0-next.37
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
node_modules/react-dev-utils
react-scripts >=0.8.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-config-react-app
Depends on vulnerable versions of eslint-loader
Depends on vulnerable versions of jest-environment-jsdom-fourteen
Depends on vulnerable versions of jest-watch-typeahead
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
node-notifier <8.0.1
Severity: moderate
OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p
fix available via `npm audit fix`
node_modules/node-notifier
@jest/reporters <=26.4.0
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of string-length
node_modules/@jest/reporters
@jest/core <=25.5.4
Depends on vulnerable versions of @jest/reporters
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of strip-ansi
node_modules/@jest/core
jest-cli 20.1.0-alpha.1 - 25.0.0
Depends on vulnerable versions of @jest/core
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-validate
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of jest-cli
node_modules/jest
nth-check <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=0.8.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-config-react-app
Depends on vulnerable versions of eslint-loader
Depends on vulnerable versions of jest-environment-jsdom-fourteen
Depends on vulnerable versions of jest-watch-typeahead
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin
postcss 7.0.0 - 7.0.35
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
resolve-url-loader 3.0.1 - 3.1.3 || 4.0.0-alpha.1 - 4.0.0-beta.2
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
react-scripts >=0.8.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-config-react-app
Depends on vulnerable versions of eslint-loader
Depends on vulnerable versions of jest-environment-jsdom-fourteen
Depends on vulnerable versions of jest-watch-typeahead
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
react-dev-utils 0.4.0 - 12.0.0-next.37
Severity: high
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/react-dev-utils
react-scripts >=0.8.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-config-react-app
Depends on vulnerable versions of eslint-loader
Depends on vulnerable versions of jest-environment-jsdom-fourteen
Depends on vulnerable versions of jest-watch-typeahead
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
set-value <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/set-value
cache-base >=0.7.0
Depends on vulnerable versions of set-value
Depends on vulnerable versions of union-value
node_modules/cache-base
base >=0.7.0
Depends on vulnerable versions of cache-base
node_modules/base
snapdragon 0.6.0 - 0.10.1
Depends on vulnerable versions of base
node_modules/snapdragon
braces 2.0.0 - 2.3.2
Depends on vulnerable versions of snapdragon
node_modules/micromatch/node_modules/braces
node_modules/watchpack-chokidar2/node_modules/braces
node_modules/webpack-dev-server/node_modules/braces
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of braces
Depends on vulnerable versions of glob-parent
Depends on vulnerable versions of readdirp
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.0.0-alpha.0 - 5.0.0-rc.6
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of watchpack
node_modules/react-scripts/node_modules/webpack
node_modules/react-scripts/node_modules/webpack/node_modules/webpack
node_modules/webpack
react-scripts >=0.8.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-config-react-app
Depends on vulnerable versions of eslint-loader
Depends on vulnerable versions of jest-environment-jsdom-fourteen
Depends on vulnerable versions of jest-watch-typeahead
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
expand-brackets 1.0.0 - 2.1.4
Depends on vulnerable versions of snapdragon
node_modules/expand-brackets
extglob 1.0.0 - 2.0.4
Depends on vulnerable versions of snapdragon
node_modules/extglob
micromatch 3.0.0 - 3.1.10
Depends on vulnerable versions of snapdragon
node_modules/micromatch
@jest/transform <=24.9.0
Depends on vulnerable versions of micromatch
node_modules/@jest/transform
@jest/environment <=24.9.0
Depends on vulnerable versions of @jest/transform
node_modules/@jest/environment
jest-environment-jsdom 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of @jest/environment
node_modules/jest-environment-jsdom
jest-environment-jsdom-fourteen >=1.0.0-alpha.0
Depends on vulnerable versions of @jest/environment
node_modules/jest-environment-jsdom-fourteen
jest-environment-node 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of @jest/environment
node_modules/jest-environment-node
jest-runner 21.0.0-alpha.1 - 24.9.0
Depends on vulnerable versions of @jest/environment
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-leak-detector
node_modules/jest-runner
@jest/test-sequencer <=24.9.0
Depends on vulnerable versions of jest-runner
node_modules/@jest/test-sequencer
jest-config 20.1.0-alpha.1 - 24.9.0
Depends on vulnerable versions of @jest/test-sequencer
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of pretty-format
node_modules/jest-config
@jest/core <=25.5.4
Depends on vulnerable versions of @jest/reporters
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of strip-ansi
node_modules/@jest/core
jest-cli 20.1.0-alpha.1 - 25.0.0
Depends on vulnerable versions of @jest/core
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-validate
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-runtime 20.1.0-alpha.1 - 25.0.0
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-validate
Depends on vulnerable versions of yargs
node_modules/jest-runtime
@jest/reporters <=26.4.0
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of string-length
node_modules/@jest/reporters
jest-jasmine2 20.1.0-alpha.1 - 24.9.0
Depends on vulnerable versions of jest-each
Depends on vulnerable versions of jest-matcher-utils
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of pretty-format
node_modules/jest-jasmine2
babel-jest 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of @jest/transform
node_modules/babel-jest
anymatch 2.0.0
Depends on vulnerable versions of micromatch
node_modules/jest-haste-map/node_modules/anymatch
node_modules/sane/node_modules/anymatch
node_modules/watchpack-chokidar2/node_modules/anymatch
node_modules/webpack-dev-server/node_modules/anymatch
jest-haste-map 23.2.0 || 24.0.0-alpha.0 - 26.6.2
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
Depends on vulnerable versions of micromatch
node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/globby
react-dev-utils 0.4.0 - 12.0.0-next.37
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
node_modules/react-dev-utils
fork-ts-checker-webpack-plugin 0.4.14 - 4.1.6
Depends on vulnerable versions of micromatch
node_modules/fork-ts-checker-webpack-plugin
http-proxy-middleware 0.18.0 - 0.19.2
Depends on vulnerable versions of micromatch
node_modules/http-proxy-middleware
jest-message-util 23.2.0 - 23.3.0 || 24.0.0-alpha.0 - 24.9.0
Depends on vulnerable versions of micromatch
node_modules/jest-message-util
@jest/fake-timers <=24.9.0
Depends on vulnerable versions of jest-message-util
node_modules/@jest/fake-timers
jest-util 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of @jest/fake-timers
node_modules/jest-util
jest-each 23.0.1 - 24.9.0
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of pretty-format
node_modules/jest-each
jest-watcher <=26.0.0-alpha.2
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of string-length
node_modules/jest-watcher
jest-watch-typeahead <=0.5.0
Depends on vulnerable versions of jest-watcher
Depends on vulnerable versions of string-length
Depends on vulnerable versions of strip-ansi
node_modules/jest-watch-typeahead
expect 21.0.0-beta.1 - 24.9.0
Depends on vulnerable versions of jest-matcher-utils
Depends on vulnerable versions of jest-message-util
node_modules/expect
jest-snapshot 20.1.0-alpha.1 - 24.9.0
Depends on vulnerable versions of expect
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of pretty-format
node_modules/jest-snapshot
jest-resolve-dependencies 23.0.0-alpha.5 - 24.9.0
Depends on vulnerable versions of jest-snapshot
node_modules/jest-resolve-dependencies
readdirp 2.2.0 - 2.2.1
Depends on vulnerable versions of micromatch
node_modules/watchpack-chokidar2/node_modules/readdirp
node_modules/webpack-dev-server/node_modules/readdirp
sane 2.5.0 - 4.1.0
Depends on vulnerable versions of micromatch
node_modules/sane
nanomatch >=0.1.1
Depends on vulnerable versions of snapdragon
node_modules/nanomatch
union-value *
Depends on vulnerable versions of set-value
node_modules/union-value
84 vulnerabilities (39 moderate, 44 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Even more vulnerabilities now, but at least there’s one less ‘critical’ one, and running the app produces a friendlier error message:
$ npm start
> hello-world@0.1.0 start
> react-scripts start
There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix locally.
The react-scripts package provided by Create React App requires a dependency:
"webpack": "4.42.0"
Don't try to install it manually: your package manager does it automatically.
However, a different version of webpack was detected higher up in the tree:
/home/mscheper/git/r17dpabp/hello-world/node_modules/webpack (version: 4.46.0)
Manually installing incompatible versions is known to cause hard-to-debug issues.
If you would prefer to ignore this check, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That will permanently disable this message but you might encounter other issues.
To fix the dependency tree, try following the steps below in the exact order:
1. Delete package-lock.json (not package.json!) and/or yarn.lock in your project folder.
2. Delete node_modules in your project folder.
3. Remove "webpack" from dependencies and/or devDependencies in the package.json file in your project folder.
4. Run npm install or yarn, depending on the package manager you use.
In most cases, this should be enough to fix the problem.
If this has not helped, there are a few other things you can try:
5. If you used npm, install yarn (http://yarnpkg.com/) and repeat the above steps with it instead.
This may help because npm has known issues with package hoisting which may get resolved in future versions.
6. Check if /home/mscheper/git/r17dpabp/hello-world/node_modules/webpack is outside your project directory.
For example, you might have accidentally installed something in your home folder.
7. Try running npm ls webpack in your project folder.
This will tell you which other package (apart from the expected react-scripts) installed webpack.
If nothing else helps, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That would permanently disable this preflight check in case you want to proceed anyway.
P.S. We know this message is long but please read the steps above :-) We hope you find them helpful!
Friendly, but not entirely helpful, unfortunately. 😏 webpack isn’t in hello-world/package.json, and I don’t have it installed on my system.
I tried running npm install anyhow (step 4), and got this:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR!
npm ERR! While resolving: react-scripts@3.4.4
npm ERR! Found: typescript@4.4.4
npm ERR! node_modules/typescript
npm ERR! typescript@"^4.4.4" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"^3.4.4" from the root project
npm ERR!
npm ERR! Conflicting peer dependency: typescript@3.9.10
npm ERR! node_modules/typescript
npm ERR! peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"^3.4.4" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR! See /home/mscheper/.npm/eresolve-report.txt for a full report.
npm ERR! A complete log of this run can be found in:
npm ERR! /home/mscheper/.npm/_logs/2021-10-21T18_13_30_217Z-debug.log
Ah! I did install typescript on my system, because it listed as a requirement, earlier in the chapter. Maybe that was a mistake, so I removed it and tried again.
$ sudo apt remove node-typescript
[success]
$ rm package-lock.json
rm: cannot remove 'package-lock.json': No such file or directory
$ rm -R node_modules
rm: cannot remove 'node_modules': No such file or directory
$ npm install
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR!
npm ERR! While resolving: react-scripts@3.4.4
npm ERR! Found: typescript@4.4.4
npm ERR! node_modules/typescript
npm ERR! typescript@"^4.4.4" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"^3.4.4" from the root project
npm ERR!
npm ERR! Conflicting peer dependency: typescript@3.9.10
npm ERR! node_modules/typescript
npm ERR! peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"^3.4.4" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR! See /home/mscheper/.npm/eresolve-report.txt for a full report.
npm ERR! A complete log of this run can be found in:
npm ERR! /home/mscheper/.npm/_logs/2021-10-21T18_16_19_189Z-debug.log
🤔 So typescript is still a problem.
I removed the entire hello-world directory structure and started all over again, and got exactly the same results, so removing the system typescript hasn’t made a difference.
I installed yarn (step 5), but didn’t really know how to use it, and since webpack wasn’t in hello-world/package.json, I didn’t delve deeper.
There is, however, a webpack subdirectory under hello-world/node_modules (step 6), which I can’t explain, but it looks like a pretty normal package directory to me.
As for step 7:
$ npm ls webpack
hello-world@0.1.0 /home/mscheper/git/r17dpabp/hello-world
└─┬ react-scripts@3.4.4
├─┬ babel-loader@8.1.0
│ └─┬ webpack@4.46.0
│ └─┬ terser-webpack-plugin@1.4.5
│ └── webpack@4.46.0 deduped
├─┬ css-loader@3.4.2
│ └── webpack@4.46.0 deduped
├─┬ eslint-loader@3.0.3
│ └── webpack@4.46.0 deduped
├─┬ file-loader@4.3.0
│ └── webpack@4.46.0 deduped
├─┬ html-webpack-plugin@4.0.0-beta.11
│ └── webpack@4.46.0 deduped
├─┬ mini-css-extract-plugin@0.9.0
│ └── webpack@4.46.0 deduped
├─┬ optimize-css-assets-webpack-plugin@5.0.3
│ └── webpack@4.46.0 deduped
├─┬ sass-loader@8.0.2
│ └── webpack@4.46.0 deduped
├─┬ terser-webpack-plugin@2.3.8
│ └── webpack@4.46.0 deduped
├─┬ url-loader@2.3.0
│ └── webpack@4.46.0 deduped
├─┬ webpack-dev-server@3.11.0
│ ├─┬ webpack-dev-middleware@3.7.3
│ │ └── webpack@4.46.0 deduped
│ └── webpack@4.46.0 deduped
├─┬ webpack-manifest-plugin@2.2.0
│ └── webpack@4.46.0 deduped
├─┬ webpack@4.42.0
│ └─┬ terser-webpack-plugin@1.4.5
│ └── webpack@4.46.0
└─┬ workbox-webpack-plugin@4.3.1
└── webpack@4.46.0 deduped
I don’t know what this indicates, though.
I also tried creating a hello-world/.env file and putting SKIP_PREFLIGHT_CHECK=true in it. That just made the ERR_OSSL_EVP_UNSUPPORTED error come up again. I’ve also tried npm audit fix --force a few more times, but that only increased the number of vulnerabilities.
I’d love for this to work, because it sounds simpler than the way I’ve created React projects in the past, and hopefully easier for other devs to get set up on the same project. Any ideas?
Issue Analytics
- State:
- Created 2 years ago
- Comments:5
Top Results From Across the Web
Webpack build failing with ERR_OSSL_EVP_UNSUPPORTED
macOS and Linux. You should have installed NVM (Node Version Manager). If you never had before, just run this command in your terminal:....
Read more >error:0308010c:digital envelope routines::unsupported - You ...
I have an error when I start to run my react native app. node:internal/crypto/hash:67 ... It doesn't compile & it throws the following...
Read more >What's New In Node.js 17? - Morioh
In Node.js 17, this ongoing promisification work is extended to the readline module, mainly used to accept input from command line.
Read more >error:0308010C:digital envelope routines::unsupported react ...
in package.json script tag "scripts": { "start": "react-scripts --openssl-legacy-provider start" }
Read more >Serverless — Hello World - Medium
Sometimes read a lot of theory doesn't work for some and ... In this post you will create a simple Hello world app...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@TheFalseFriend: I’m on another new project now, so I just gave it another go, and yes,
npx create-react-app hello-world --template typescriptnow works. There was a deprecation warning and ‘8 moderate severity vulnerabilities’, but the web page shown on p.20 of the book appeared for me, unlike when I created this issue. 🎈@ericcAtGitHub: I suggest future editions of the book direct readers to install a particular version, known to be working. It would also be helpful to suggest where to go for help, if it doesn’t.
And as I said in this comment, I got lost wading through the comments in issue 11174, but it seems to imply that these ‘security issues’ should just be ignored. Since this is counterintuitive, it is also worth mentioning in the book, I reckon. As a very experienced developer, I’ve learnt to take web security seriously, and I’m sure those warnings would be scary for anyone starting out as well.
Thanks, both of you, for your help.
@mscheper - not sure if you ever ended up with a resolution, but it seems the error regarding ERR_OSSL_EVP_UNSUPPORTED relates to some changes in Node 17 (pertaining to SSL usage). Assuming you’re using nvm, I’ll bet if you do e.g.:
$ nvm use 16…and retry whatever you were doing previously that triggered the error, it won’t appear this time around (consider the security implication of such a quick fix, though - i.e. it sounds like Node 17 is enforcing a tighter security requirement). See e.g. this SO post for some further reference.
Regarding the other security errors: as mentioned in this comment, see https://github.com/facebook/create-react-app/issues/11174.