Using npx create-react-app causes vulnerabilities, Why?

[RobFosterNYC]

Hi, I am learning react and when I use whats called new method ( npx install -g create-react-app (then name of app))
instead of using (npm install -g create-react-app).
I was following a website that said to stop using it one way and to start using the npx version way.
I uninstalled react by using ( npm uninstall -g create-react-app ) then I used ( npx install -g create-react-app (then name of app))
I get an ERR message saying I have vulnerabilities. As shown in the picture below.

I am using NODE v16.3.0, npm v7.16.0

I was following THIS page....
.

And THIS is the ERR I got back when following the website.....
.

.

1. • How do I solve this problem ??
2. • Also how do I install react globally so I can use it in all my upcoming projects as Im learning react ??

Thanks for reading :)

[pierre-H]

See #11092

[RobFosterNYC]

Thank you @pierre-H <3

[cmacdonnacha]

This is becoming a big issue and there's been no communication from the team on this.

[KrishnanSriram]

react-scripts is the problem-maker
96 vulnerabilities (85 moderate, 11 high)
All our production release are now stopped

[cmacdonnacha]

Is there a way for us to update these dependencies ourselves without having to wait for react-scripts? There's currently a high sev vulnerability on normalize-url

[gaearon]

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

[gaearon]

Please see #11174.