Bug: 6 high severity vulnerabilities in create-react-app

[vanuverma]

I know this is supposed to be in the vulnerabilities section, but I didn't clearly understand that part, so adding this here.

Issue

After creating a new app using create-react-app, getting 6 high severity vulnerabilities when I run npm install & npm audit command

React version: 18.2.0

Steps To Reproduce

1. run npx create-react-app my-app
2. run cd my-app
3. run npm install
4. run npm audit

npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[harish-sethuraman]

You might want to take a look at

• Help, npm audit says I have a vulnerability in react-scripts! create-react-app#11174

Also https://github.com/facebook/create-react-app/ is the right repo to raise issues regarding create-react-app :)

[vanuverma]

Hi @harish-sethuraman thanks for the reply. I will follow that link. :)

[itsaulakh2213]

I have same problem how to solve bro

[josegerardo70mx]

same proble

[Karthikeyan-seka]

i got the same problem too. what is the status of your problem

Any updates on this? Cause I don't like that each of my React projects has "6 high severity vulnerabilities".
Some people on StackOverflow say that it's a feature and not a bug, but come on...

[MRdimenter]

Same problem still
Please do something about it

[vanuverma]

I don't know if this is a solution, but you can try using yarn install instead of npm install (and remove package-lock.json file). For the same repo with same package.json file ("react": "^18.2.0"), when I run npm install, I get "6 high severity vulnerabilities", whereas running yarn install does not return any vulnerabilities. However, I am not sure if yarn actually does any vulnerabilities check or not.