5

While running npx create-react-app my-app, I am getting 10 moderate severity vulnerabilities. Not able to fix even after running npm audit fix or npm audit fix --force. When I run npm audit fix --force i get more 44 vulnerabilities (25 low, 5 moderate, 14 high), then again if I run same command to fix I get 10 moderate severity vulnerabilities. This keeps on going in cycles each time I run command.

$ npm audit
# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747  
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751  
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
          react-scripts  >=0.10.0-alpha.328cb32e
          Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar
    node_modules/webpack-dev-server
      @pmmmwh/react-refresh-webpack-plugin  0.3.1 - 0.5.0-rc.6
      Depends on vulnerable versions of webpack-dev-server
      node_modules/react-scripts/node_modules/@pmmmwh/react-refresh-webpack-plugin

10 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
Jishnu Mk
  • 143
  • 1
  • 3
  • 12

2 Answers2

5

You have to run npm audit --production instead of npm audit. This is a known issue without a real fix. These should all be in your devDependencies and it won't have any security impact in your production builds.

Read more about dev dependencies vs dependencies here.

Read more about this in the react-create-app Github.

AntonioGarcía
  • 1,140
  • 2
  • 15
  • 25
4

Those vulnerabilities seem to be from dev dependencies so you probably don't have to fix those.

Dan Abramov one of the React developers and creator of Redux wrote an article explaining this https://overreacted.io/npm-audit-broken-by-design/

justpen
  • 178
  • 1
  • 11
  • Dan Abramov wrote another (shorter) explanation , in Github issues for Create-React-App explaining why these are NOT actual vulnerabilities: [Help, npm audit says I have a vulnerability in react-scripts! issue #11174](https://github.com/facebook/create-react-app/issues/11174) https://github.com/facebook/create-react-app/issues/11174 – SherylHohman Oct 18 '21 at 23:45