See this console output with npm. First, when I run npm audit it tells me I need to downgrade from react-scripts@4.0.3 to react-scripts@3.4.4 because of supposed vulnerabilities with the newer version?
So I follow the advice of npm and run npm audit fix --force, which downgrades me to react-scripts@0.9.5 and then tells me there are now 48 vulnerabilities (up from 27 initially) which can be solved by upgrading to react-scripts@4.0.3.
So by running this npm audit fix --force command, I end up in an endless cycle of vulnerabilities.
I see there is an open issue on npm https://github.com/npm/cli/issues/3472
Is there any kind of hack fix that will make these errors go away, even if temporarily? This is a bug with npm right?
my versions, for ref
(base) mycomputer:~/Projects/project/frontend$ npm -v
8.1.4
(base) mycomputer:~/Projects/project/frontend$ node -v
v17.1.0
(base) mycomputer:~/Projects/project/frontend$ npm audit
# npm audit report
ansi-html *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@3.4.4, which is a breaking change
node_modules/ansi-html
@pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6
Depends on vulnerable versions of ansi-html
node_modules/@pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of optimize-css-assets-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install react-scripts@3.4.4, which is a breaking change
node_modules/webpack-dev-server/node_modules/cliui/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/webpack-dev-server/node_modules/cliui/node_modules/strip-ansi
node_modules/webpack-dev-server/node_modules/string-width/node_modules/strip-ansi
node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/strip-ansi
cliui 4.0.0 - 5.0.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of wrap-ansi
node_modules/webpack-dev-server/node_modules/cliui
yargs 10.1.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of string-width
node_modules/webpack-dev-server/node_modules/yargs
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of optimize-css-assets-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/webpack-dev-server/node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/webpack-dev-server/node_modules/wrap-ansi
... (truncated because of stack overflow character limit)
27 vulnerabilities (16 moderate, 9 high, 2 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
(base) mycomputer:~/Projects/project/frontend$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating react-scripts to 0.9.5,which is a SemVer major change.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated eslint-loader@1.6.0: This loader has been deprecated. Please use eslint-webpack-plugin
npm WARN deprecated browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated extract-text-webpack-plugin@1.0.1: Deprecated. Please use https://github.com/webpack-contrib/mini-css-extract-plugin
npm WARN deprecated sane@1.4.1: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problema
tic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated babel-eslint@7.1.1: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated chokidar@1.7.0: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated html-webpack-plugin@2.24.0: out of support
npm WARN deprecated svgo@0.7.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, f
eature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of
core-js.
added 442 packages, removed 1321 packages, changed 281 packages, and audited 1247 packages in 1m
35 packages are looking for funding
run `npm fund` for details
# npm audit report
ansi-html *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/ansi-html
react-dev-utils 0.2.0 - 11.0.3
Depends on vulnerable versions of ansi-html
node_modules/react-dev-utils
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
braces <2.3.1
Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
watchpack 0.2.2 - 1.6.1
Depends on vulnerable versions of chokidar
node_modules/watchpack
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/http-proxy-middleware
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-resolve 18.1.0 - 19.0.2
Depends on vulnerable versions of jest-haste-map
node_modules/jest-resolve
jest-config 18.1.0 - 19.0.4
Depends on vulnerable versions of jest-resolve
node_modules/jest-config
jest-resolve-dependencies 18.1.0
Depends on vulnerable versions of jest-resolve
node_modules/jest-resolve-dependencies
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
color-string <1.5.5
Severity: moderate
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-257v-vj4p-3w2h
fix available via `npm audit fix`
node_modules/color-string
color <=0.11.4
Depends on vulnerable versions of color-string
node_modules/color
colormin *
Depends on vulnerable versions of color
node_modules/colormin
postcss-colormin <=2.2.2
Depends on vulnerable versions of colormin
node_modules/postcss-colormin
cssnano <=3.10.0
Depends on vulnerable versions of postcss-colormin
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
debug <2.6.9
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/eslint-module-utils/node_modules/debug
eslint-module-utils 1.0.0-beta.0 - 2.0.0
Depends on vulnerable versions of debug
node_modules/eslint-module-utils
eslint-plugin-import 2.0.0-beta.0 - 2.1.0
Depends on vulnerable versions of eslint-module-utils
node_modules/eslint-plugin-import
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
watchpack 0.2.2 - 1.6.1
Depends on vulnerable versions of chokidar
node_modules/watchpack
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/http-proxy-middleware
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-resolve 18.1.0 - 19.0.2
Depends on vulnerable versions of jest-haste-map
node_modules/jest-resolve
jest-config 18.1.0 - 19.0.4
Depends on vulnerable versions of jest-resolve
node_modules/jest-config
jest-resolve-dependencies 18.1.0
Depends on vulnerable versions of jest-resolve
node_modules/jest-resolve-dependencies
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
is-svg 2.1.0 - 4.2.1
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-7r28-3m3f-r2pr
fix available via `npm audit fix`
node_modules/is-svg
js-yaml <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix`
node_modules/svgo/node_modules/js-yaml
svgo 0.4.2 - 1.0.5
Depends on vulnerable versions of js-yaml
node_modules/svgo
postcss-svgo <=2.1.6
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano <=3.10.0
Depends on vulnerable versions of postcss-colormin
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
merge <2.1.1
Severity: high
Prototype Pollution in merge - https://github.com/advisories/GHSA-7wpw-2hjm-89gp
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/merge
exec-sh <=0.3.1
Depends on vulnerable versions of merge
node_modules/exec-sh
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-resolve 18.1.0 - 19.0.2
Depends on vulnerable versions of jest-haste-map
node_modules/jest-resolve
jest-config 18.1.0 - 19.0.4
Depends on vulnerable versions of jest-resolve
node_modules/jest-config
jest-resolve-dependencies 18.1.0
Depends on vulnerable versions of jest-resolve
node_modules/jest-resolve-dependencies
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
mime <1.4.1
Severity: moderate
Regular Expression Denial of Service in mime - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/mime
url-loader 0.5.5 - 0.5.9
Depends on vulnerable versions of mime
node_modules/url-loader
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
minimist <0.2.1
Severity: moderate
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/optimist/node_modules/minimist
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/optimist
webpack 0.11.0-beta1 - 2.0.2-beta
Depends on vulnerable versions of optimist
node_modules/webpack
extract-text-webpack-plugin <=1.0.1
Depends on vulnerable versions of webpack
node_modules/extract-text-webpack-plugin
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
node-notifier <8.0.1
Severity: moderate
OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/node-notifier
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
open <6.0.0
Severity: critical
Command Injection in open - https://github.com/advisories/GHSA-28xh-wpgr-7fm8
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/open
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
react-dev-utils 0.2.0 - 11.0.3
Severity: high
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of ansi-html
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/react-dev-utils
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Severity: critical
Missing Origin Validation in webpack-dev-server - https://github.com/advisories/GHSA-cf66-xwfp-gvc4
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/webpack-dev-server
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
yargs-parser <=5.0.0
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
Depends on vulnerable versions of yargs-parser
node_modules/yargs
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
48 vulnerabilities (12 low, 18 moderate, 16 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
