0

So basically, every time I run create-react-app with npx, npm or yarn (have tried them all), with both NodeJS 12 and NodeJS 16.3.0 and npm 7.15 (or something like this), it gives me multiple dependency vulnerabilities. With the newest versions of npm and nodeJS, I get 24 (11 moderate and 13 high). How do I resolve these dependencies? Or is it okay to just ignore them. I want to use the proposed app in production mode eventually, however I just can not for the life of me figure out how to resolve these dependences.

All the vulnerabilities seem to be related to react-scripts and denial of service. In the fixes, it suggests that an npx audit fix --force will fix it, by changing the react-scripts module to 1.1.5, however when i do this, even more vulnerabilities arise, suggesting the same solution but to revert back to react-script 4.0.3. Any advice would be great as I am driving myself mad here and finding next to 0 answers.

Liam Webb
  • 1
  • 3
  • 1
    There is nothing you can do but to wait for the authors of react-scripts to update their package. Opening an [issue](https://github.com/facebook/create-react-app/issues/new/choose) on github could help. – ISAE Jun 17 '21 at 19:07
  • 1
    Actually there is already an issue just opened: [Security vulnerability issues #11118](https://github.com/facebook/create-react-app/issues/11118) – ISAE Jun 17 '21 at 19:10
  • @ISAE oh that is interesting. I guess I will just have to wait it out then. If I start building a project in the current react files, is it easy enough to move these files to a new fresh 'create-react-app', once the vulnerabilities have been resolved? – Liam Webb Jun 17 '21 at 23:12

1 Answers1

0

I posted my solution getting vulnerabilities down to one moderate risk due to the browserslist package here:

https://stackoverflow.com/a/68046680/1669123

Ultimately I think we'll need to wait on the CRA team to update react-scripts.

Darren Evans
  • 665
  • 10
  • 17