-2

hi i have a problem when i create creat app it build with yarn and i didn't use yarn in my life and when i use npm to install any think it show a problems i tried to use (create-react-app my-project --use-npm) and i removed yarn.lock i found the same problem and when i install any package with npm it show me a message 58 vulnerabilities (16 moderate, 40 high, 2 critical)

the images: https://cdn.discordapp.com/attachments/811324614901760041/905436370363883520/unknown.png https://cdn.discordapp.com/attachments/811324614901760041/905436302948831312/unknown.png https://media.discordapp.net/attachments/811324614901760041/905434979037765642/unknown.png?width=1108&height=623 https://cdn.discordapp.com/attachments/811324614901760041/905434979037765642/unknown.png https://cdn.discordapp.com/attachments/811324614901760041/905433250971926609/unknown.png

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
mootez
  • 11
  • 1

1 Answers1

0

To take root of your question, you have both yarn and npm installed.

  1. create-react-app uses yarn for the setup if it's installed. Yarn is a Facebook initiative too, so it's just a preference of react-app creators to lean more to yarn or rather Facebook initiated products and initially it was also believed to be more secure than npm and with a faster performance too.
  2. Glad you have noted --use--npm so you can specify always what you want to use when overriding yarn.
  3. In terms of not using yarn before, don't stress, learn the new tool because Yarn drew inspiration on top of npm, so cli commands are not to far-off.
  4. In terms of the vulnerabilities, let me point to package dependencies. With npm apparently since v6, when starting a new project, this always was a concern. Best thing to do is to audit your packages and find dependencies and resolve or reduce those vulnerabilities by either going to specific versions required or the @latest. It is also worthy to check out your node version, somewhat most devs online say the older versions are more stable and often the vulnerabilities are in react-scripts which are part of the build process. Also, remember that you would be running preset templates so its really worth it to check also npm audits or yarn whys. Also do either an npm outdated or yarn outdated so you can assess properly the state.

Have a great yarn journey!!!

Berico Sili
  • 29
  • 7