2

New and naive to react. I was trying to run the command "npm I react-router-dom" but when I did it cancelled the download and gave these errors. I did come across this link to some type of "solution": https://nvd.nist.gov/vuln/detail/CVE-2021-3803

# npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
Drew Reese
  • 165,259
  • 14
  • 153
  • 181
Frank Sanchez
  • 21
  • 2
  • I'm confused. Did you run `npm i react-router-dom` or did you run `npm audit report`? Nothing in the report appears to have much of anything to do with `react-router-dom`. What exactly was the issue with installing RRD? What errors are you referring to? – Drew Reese Jun 30 '22 at 05:47
  • Hey @Drew , thanks for replying! I am sorry I meant `npm i react-router-dom`. This issue also occurred when I tried running `npm install --save styled-components` and it gave the same message "6 high severity vulnerability". I was able to bypass this by using the yarn package manager so now that message does not appear. I'm wondering if this actually fixed the issue? – Frank Sanchez Jun 30 '22 at 17:02
  • Seems like it may just be a node/npm version thing. What versions of these do you have installed? – Drew Reese Jun 30 '22 at 17:14
  • 1
    The actual issue is caused by `react-scripts` (which is probably listed as a dependency in your `package.json`?). – robertklep Jun 30 '22 at 17:25
  • @robertklep I have "react": "^18.2.0" – Frank Sanchez Jun 30 '22 at 17:37
  • @FrankSanchez `react-scripts` is not a dependency of `react@18.2.0`. Try and see if it works if you remove `package-lock.json` and then `npm i` and `npm i react-router-dom` – robertklep Jun 30 '22 at 17:41
  • @DrewReese npm -v is 8.13.2 – Frank Sanchez Jun 30 '22 at 17:42
  • 2
    I agree with @robertklep, it certainly now looks like a `react-scripts` issue. The current version is v5, so any v2.x version is quite old by comparison. – Drew Reese Jun 30 '22 at 17:43
  • Oh and also remove `node_modules` – robertklep Jun 30 '22 at 17:45
  • @FrankSanchez did you get any solution for this ? if yes then please post it as answer so that it can help others to fix it as well. – Ritesh Aug 09 '22 at 05:24

1 Answers1

0

Take react-scripts and move it to devDependencies (if you don't have it, create it):

  "dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2"
  },
  "devDependencies": {
    "react-scripts": "4.0.3"
  },

Then, ensure you run npm audit --omit dev rather than npm audit.

This "security vulnerability" will not affect end-users as react-scripts isn't actually used in apps created by CRA by default. Unless you're somehow referencing react-scripts from your production app, you're fine.

William Neil
  • 1
  • 1