Vulnerabilities found after using npx create-react-app

[prathameshjchavan]

npm audit report

browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts

css-what <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/svgo/node_modules/css-what
css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/svgo/node_modules/css-select
svgo >=1.0.0
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo *
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack >=4.0.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss-svgo >=4.0.0-nightly.2020.1.9
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default *
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.6
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin

glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/webpack-dev-server
@pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4
Depends on vulnerable versions of webpack-dev-server
node_modules/@pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts

normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/normalize-url
node_modules/postcss-normalize-url/node_modules/normalize-url
mini-css-extract-plugin 0.6.0 - 1.0.0
Depends on vulnerable versions of normalize-url
node_modules/mini-css-extract-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss-normalize-url <=4.0.1
Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url
cssnano-preset-default *
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.6
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin

22 vulnerabilities (9 moderate, 13 high)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

[joaoguidev]

Same issue here.

I updated my Nodejs to 16.3.0 with no effect.

Still getting those same 22 vulnerabilities (9 moderate, 13 high)

[krailler]

Here another with the same issue 🙋‍♂️

Using Node 16 with npm 7

[AnthoVDO]

Exactly the same

[Rugz007]

Same issue

[JayMacpherson]

Also same issue. Using latest LTS Node

[ako-v]

Same issue here

[crazypixel]

Same here

[thebytehoarder]

Same issue here too

[vincevalenz]

same

[ngamanning]

Same issue here. There are only 87 of vulnerabilities reported :D

[aquacalc]

7 vulnerabilities, of which 4 high: 2 each in script packages css-what and normalize-url

node 14.13.0
npm 6.14.8

[wattanx]

Same issue here too

[mf0sse]

Same here...

[rhalaly]

These vulnerabilities have been around for a long time. Is there any plan to fix them??

[csolisr]

I manually upgraded all the dependencies in the package.json to latest, and it's still reporting 22 vulnerabilities (9 moderate, 13 high). I suspect the react-scripts package is at fault, depending on several outdated packages - are there any plans to upgrade them upstream to more modern versions? Not even npm audit fix --force is working on my side.

[vladdoroniuk]

Same here, initially had 19 vulnerabilities (9 moderate, 10 high). Then used npm audit fix --force, and got 44 vulnerabilities (25 low, 8 moderate, 11 high).

[rhalaly]

Same here, initially had 19 vulnerabilities (9 moderate, 10 high). Then used npm audit fix --force, and got 44 vulnerabilities (25 low, 8 moderate, 11 high).

I don't think that npm audit fix --force is the right way to solve it. Since there is no newer version of react-scripts yet, the --force flag will downgrade your react-scripts package version to 1.x.x instead of 4.x.x which is a bad breaking change

[eugeniudedin]

Same here, 19 vulnerabilities (9 moderate, 10 high).

[gaearon]

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

[gaearon]

Please see #11174.