vulnerabilities using npx create-react-app on npm v8.0.0 #11560
Description
Describe the bug
58 vulnerabilities (16 moderate, 40 high, 2 critical)
and after npm audit fix -f ...
npm audit report
ansi-html *
Severity: high
Uncontrolled Resource Consumption in ansi-html - GHSA-whgm-jr23-g3j9
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/ansi-html
react-dev-utils 0.2.0 - 11.0.3
Depends on vulnerable versions of ansi-html
node_modules/react-dev-utils
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
braces <2.3.1
Regular Expression Denial of Service in braces - GHSA-g95f-p29q-9xw4
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
watchpack 0.2.2 - 1.6.1
Depends on vulnerable versions of chokidar
node_modules/watchpack
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/http-proxy-middleware
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-resolve 18.1.0 - 19.0.2
Depends on vulnerable versions of jest-haste-map
node_modules/jest-resolve
jest-config 18.1.0 - 19.0.4
Depends on vulnerable versions of jest-resolve
node_modules/jest-config
jest-resolve-dependencies 18.1.0
Depends on vulnerable versions of jest-resolve
node_modules/jest-resolve-dependencies
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
color-string <1.5.5
Severity: moderate
Regular Expression Denial of Service (ReDOS) - GHSA-257v-vj4p-3w2h
fix available via npm audit fix
node_modules/color-string
color <=0.11.4
Depends on vulnerable versions of color-string
node_modules/color
colormin *
Depends on vulnerable versions of color
node_modules/colormin
postcss-colormin <=2.2.2
Depends on vulnerable versions of colormin
node_modules/postcss-colormin
cssnano <=3.10.0
Depends on vulnerable versions of postcss-colormin
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
debug <2.6.9
Regular Expression Denial of Service in debug - GHSA-gxpj-cx7g-858c
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/eslint-module-utils/node_modules/debug
eslint-module-utils 1.0.0-beta.0 - 2.0.0
Depends on vulnerable versions of debug
node_modules/eslint-module-utils
eslint-plugin-import 2.0.0-beta.0 - 2.1.0
Depends on vulnerable versions of eslint-module-utils
node_modules/eslint-plugin-import
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-parent <5.1.2
Severity: high
Regular expression denial of service - GHSA-ww39-953v-wcq6
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
watchpack 0.2.2 - 1.6.1
Depends on vulnerable versions of chokidar
node_modules/watchpack
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/http-proxy-middleware
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-resolve 18.1.0 - 19.0.2
Depends on vulnerable versions of jest-haste-map
node_modules/jest-resolve
jest-config 18.1.0 - 19.0.4
Depends on vulnerable versions of jest-resolve
node_modules/jest-config
jest-resolve-dependencies 18.1.0
Depends on vulnerable versions of jest-resolve
node_modules/jest-resolve-dependencies
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
is-svg 2.1.0 - 4.2.1
Severity: high
Regular Expression Denial of Service (ReDoS) - GHSA-7r28-3m3f-r2pr
fix available via npm audit fix
node_modules/is-svg
js-yaml <=3.13.0
Severity: high
Denial of Service in js-yaml - GHSA-2pr6-76vf-7546
Code Injection in js-yaml - GHSA-8j8c-7jfh-h6hx
fix available via npm audit fix
node_modules/svgo/node_modules/js-yaml
svgo 0.4.2 - 1.0.5
Depends on vulnerable versions of js-yaml
node_modules/svgo
postcss-svgo <=2.1.6
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano <=3.10.0
Depends on vulnerable versions of postcss-colormin
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
merge <2.1.1
Severity: high
Prototype Pollution in merge - GHSA-7wpw-2hjm-89gp
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/merge
exec-sh <=0.3.1
Depends on vulnerable versions of merge
node_modules/exec-sh
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-resolve 18.1.0 - 19.0.2
Depends on vulnerable versions of jest-haste-map
node_modules/jest-resolve
jest-config 18.1.0 - 19.0.4
Depends on vulnerable versions of jest-resolve
node_modules/jest-config
jest-resolve-dependencies 18.1.0
Depends on vulnerable versions of jest-resolve
node_modules/jest-resolve-dependencies
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
mime <1.4.1
Severity: moderate
Regular Expression Denial of Service in mime - GHSA-wrvr-8mpx-r7pp
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/mime
url-loader 0.5.5 - 0.5.9
Depends on vulnerable versions of mime
node_modules/url-loader
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
minimist <0.2.1
Severity: moderate
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/optimist/node_modules/minimist
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/optimist
webpack 0.11.0-beta1 - 2.0.2-beta
Depends on vulnerable versions of optimist
node_modules/webpack
extract-text-webpack-plugin <=1.0.1
Depends on vulnerable versions of webpack
node_modules/extract-text-webpack-plugin
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
node-notifier <8.0.1
Severity: moderate
OS Command Injection in node-notifier - GHSA-5fw9-fq32-wv5p
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/node-notifier
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
open <6.0.0
Severity: critical
Command Injection in open - GHSA-28xh-wpgr-7fm8
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/open
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
react-dev-utils 0.2.0 - 11.0.3
Severity: high
Improper Neutralization of Special Elements used in an OS Command. - GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of ansi-html
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/react-dev-utils
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Severity: critical
Missing Origin Validation in webpack-dev-server - GHSA-cf66-xwfp-gvc4
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/webpack-dev-server
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
yargs-parser <=5.0.0
Severity: moderate
Prototype Pollution in yargs-parser - GHSA-p9pc-299p-vxgp
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
Depends on vulnerable versions of yargs-parser
node_modules/yargs
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
48 vulnerabilities (12 low, 18 moderate, 16 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
josselin@josselin-HP-Laptop-14-ck0xxx:~/dyma/react/testapp$
Did you try recovering your dependencies?
(Write your answer here.)
Which terms did you search for in User Guide?
(Write your answer here if relevant.)
Environment
(paste the output of the command here.)
Steps to reproduce
(Write your steps here:)
Expected behavior
(Write what you thought would happen.)
Actual behavior
(Write what happened. Please add screenshots!)