96 vulnerabilities after running npx create-react-app my-app command

[bcagarwal]

node version 16.3.0
nom version 7.15.1

While executing the command npx create-react-app my-app, I am getting

96 vulnerabilities (85 moderate, 11 high)

Please check.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...


added 1922 packages, and audited 1923 packages in 60s

145 packages are looking for funding
  run `npm fund` for details

96 vulnerabilities (85 moderate, 11 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

Initialized a git repository.

Installing template dependencies using npm...

added 32 packages, and audited 1955 packages in 9s

145 packages are looking for funding
  run `npm fund` for details

96 vulnerabilities (85 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
Removing template package using npm...


removed 1 package, and audited 1954 packages in 7s

145 packages are looking for funding
  run `npm fund` for details

96 vulnerabilities (85 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Created git commit.

Success! Created my-app at /Users/bikashagrawal/react-projects/my-app
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd my-app
  npm start

Happy hacking!

I tried to run npm audit fix and npm audit fix --force, but it didn't help.

[vegarringdal]

I got the same result

[fazemodz]

i got this too

[alaintalk]

same problem

[RealDrewKlayman]

same problem

[frankthoeny]

Does not justify another tread, I have a similar issue with create-react-app. I use Windows 10 with VSCode.

"dependencies": {
"@testing-library/jest-dom": "^5.14.1",
"@testing-library/react": "^11.2.7",
"@testing-library/user-event": "^12.8.3",
"react": "^17.0.2",
"react-dom": "^17.0.2",
"react-scripts": "^4.0.3", <--- (Is this it?)
"web-vitals": "^1.1.2"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},

---- I deleted "react-scripts": "^4.0.3", from the file package.json. Found that Uninstalling react-scripts returns the following.

npm install
removed 1843 packages and audited 83 packages in 52.197s

3 packages are looking for funding
run npm fund for details

found 0 vulnerabilities

---- But wait need react-scripts to work. I tried a different version from 4 months ago, but got the same results.

npm i react-scripts@4.0.0 --save
---- Why are these packages deprecated? OMG
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!

The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:

https://opencollective.com/core-js
https://www.patreon.com/zloirock

Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)

core-js@3.14.0 postinstall D:\Web Apps\myappnamehere\node_modules\core-js
node -e "try{require('./postinstall')}catch(e){}"

ejs@2.7.4 postinstall D:\Web Apps\myappnamehere\node_modules\ejs
node ./postinstall.js

Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.3 (node_modules\react-scripts\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.2.7 (node_modules\watchpack-chokidar2\node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.2.7 (node_modules\webpack-dev-server\node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.14.5 requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself.
npm WARN tsutils@3.21.0 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.

• react-scripts@4.0.0
  added 1847 packages from 648 contributors and audited 1933 packages in 192.476s

145 packages are looking for funding
run npm fund for details

found 86 vulnerabilities (82 moderate, 4 high)
run npm audit fix to fix them, or npm audit for details

[Breezehome2077]

I encountered the same, this is my prompt, can you ask what your prompt is?
我遇到了相同，这是我的提示，能问下你们的是什么吗？

[Breezehome2077]

Secondly, running npm init and then npx can solve the above problem; but a new problem has emerged: My project is MyReact / my-app, why does MyReact prompt an error? Is it because I am running npx under MyReact? (But if npx runs in the root directory, it will report an error “npm ERR! 404 Not Found - GET https://registry.npmjs.com/creat-react-app - Not found” and cannot be run directly.)
二次补充，先运行 npm init 再运行 npx 可以解决上面的问题；但新的问题又出来了：我的项目是 MyReact / my-app ，为什么 MyReact 会提示错误呢？是因为我是在 MyReact 下运行的 npx 吗？（但 npx 在根目录下是没法运行啊，报错 404）

[DancingColors]

Same here.

[bcagarwal]

Thanks to everyone who commented and it seems everyone is facing the same issue. What is the solution to this issue?

[DancingColors]

@bcagarwal The more comments, the more visibility to the issue. Asking again is useless.

[bcagarwal]

@DancingColors Got it. Thank you.

[mchakshu-zz]

Node JS version 14.16.1
npm version 6.14.12
found 89 vulnerabilities (1 low, 82 moderate, 6 high)

[Breezehome2077]

感谢所有评论的人， 似乎每个人都面临着同样的问题。这个问题的解决方案是什么

Upgrade npm to npm7

[Breezehome2077]

The problems encountered during the two days of learning this step (win10, nodejsv14.17.0):

1. Prompt 404
   1.1 Install create-react-app globally, and then execute npx
2. The file idealTree already exists
   2.1 Create file A, run npx in folder A
3. Prompt that there are vulnerabilities
   3.1 Upgrade npm to 7, automatically install dependencies
4. After the npx command is executed, it prompts that folder A lacks package.json
   4.1 Before executing npx, execute npm init first, manually create package.json, and then execute npx
   4.2 Or before executing npx, install yarn globally, and then execute npx.

Supplement: 4.2 Unresolved errors: When the installation reaches 3/4, there will be two error messages, and no solution has been found yet.

这两天学习这一步遇到的问题（win10,nodejsv14.17.0）:

1.提示404
1.1 全局安装 create-react-app，然后再执行 npx
2. 文件 idealTree 已存在
2.1 创建文件A，在文件夹A中运行 npx
3. 提示存在漏洞
3.1 升级npm 到7，自动安装依赖
4. npx命令执行后，提示文件夹A 缺少package.json
4.1 在执行 npx 之前，先执行 npm init ，手动创建 package.json，然后再执行 npx
4.2 或者在执行 npx 之前，先全局安装 yarn，然后再执行 npx。

补充：4.2 未解决的错误： 安装到3/4时，会有两个错误提示，暂未找到解决办法。

[RobFosterNYC]

I am getting this issue as well....
.

.

And for some odd reason (on its own), I am now getting duplicate files, its stressful and confusing...
the duplicate files have different configurations to one another.
.

[mrwensveen]

A lot of this has to do with the fact that react-scripts is added as a dependency in stead of a devDependency. Technically, the vulnerabilities will not be deployed unless they are also dependencies of your package or another dependency that will get deployed.

I have proposed here that react-scripts should be a devDependency again so we don't have to ignore a bunch of vulnerabilities every few weeks.

Edit: fixed link

[bcagarwal]

Is adding a label required? If yes, I am unable to do so. Could someone please help to add a label to this issue?

[arobert93]

This is extremely important to be fixed as soon as possible.

[Duosora]

Big upvote on the necessity of fixing that one. It's truly annoying to see it every single time.

[mel-ramkhelawan]

Im having the same issue.

Node: 16.3.0
npm: 7.15.1

[GhostyBooBoo]

+ the immer vulnerability from ages ago that still hasnt been resolved.

I recognize that technically these may not actually cause vulnerabilities for our applications, but that is just such an unrealistic view of how things really work. Bureaucracy is going to bureaucracy, so not fixing these just causes headaches for so many people.

[shodmin]

Same there !!

[ghost]

I have the same issue, running on Win10, Npm7

# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of mini-css-extract-plugin
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

[bcagarwal]

We don't see any attention to this issue and we don't know whether it would be fixed. Is there anyway we can get desired attention to this issue so that it would be fixed on priority?

[croraf]

Can this be closed in favor of: #11012 ?

[rhalaly]

These vulnerabilities have been around for a long time. Is there any plan to fix them??

[AndreGCRamos]

Same problem here...

[gaearon]

There are no actual vulnerabilities here.

Unfortunately, npm audit has no idea that these packages are development-only dependencies. From what I can tell, none of these "vulnerabilities" actually affect your application (or even development machine) in any way.

This is pure security theater. Which is unfortunate, because it teaches people to ignore real vulnerabilities (which these are not, in the context of how they're used in CRA).

Yes, it would be good to cut a patch to remove the warnings, but we are all unfortunately wasting time here.

[gaearon]

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

[gaearon]

Please see #11174.