Skip to content

create-react-app: 6 high severity vulnerabilities #13053

Open
Open
create-react-app: 6 high severity vulnerabilities#13053
Labels
issue: bug reportneeds triage
@rwb196884

Description

@rwb196884
rwb196884
opened on Mar 9, 2023
> npx create-react-app client
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.

Creating a new React app in C:\Work\Azure\repo\react\client.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...


added 1417 packages in 5m

231 packages are looking for funding
  run `npm fund` for details
Git repo not initialized Error: Command failed: git --version
    at checkExecSyncError (node:child_process:828:11)
    at execSync (node:child_process:899:15)
    at tryGitInit (C:\Work\Azure\repo\react\client.\node_modules\react-scripts\scripts\init.js:46:5)
    at module.exports (C:\Work\Azure\repo\react\client.\node_modules\react-scripts\scripts\init.js:276:7)
    at [eval]:3:14
    at Script.runInThisContext (node:vm:129:12)
    at Object.runInThisContext (node:vm:305:38)
    at node:internal/process/execution:76:19
    at [eval]-wrapper:6:22 {
  status: 1,
  signal: null,
  output: [ null, null, null ],
  pid: 59908,
  stdout: null,
  stderr: null
}

Installing template dependencies using npm...

added 62 packages in 21s

231 packages are looking for funding
  run `npm fund` for details
Removing template package using npm...

removed 1 package, and audited 1479 packages in 5s

231 packages are looking for funding
  run `npm fund` for details

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Success! Created fact-find at C:\Work\Azure\repo\react\client.
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd fact-find
  npm start

Happy hacking!

After running npm audit fix --force I end up with 75 vulnerabilities (13 low, 16 moderate, 42 high, 4 critical).

Seems a bit slipshod, no?

Metadata

Metadata

Assignees

No one assigned

    Labels

    issue: bug reportneeds triage

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions