Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npx create-react-app: 8 vulnerabilities (2 moderate, 6 high) in new react app #13637

Open
harish00506 opened this issue Jul 21, 2024 · 4 comments · May be fixed by #13778
Open

Npx create-react-app: 8 vulnerabilities (2 moderate, 6 high) in new react app #13637

harish00506 opened this issue Jul 21, 2024 · 4 comments · May be fixed by #13778

Comments

@harish00506
Copy link

PS C:> npx create-react-app mern-stack

Creating a new React app in C:\mern-stack.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...

added 1482 packages in 4m

261 packages are looking for funding
run npm fund for details

Initialized a git repository.

Installing template dependencies using npm...

added 63 packages, and changed 1 package in 25s

261 packages are looking for funding
run npm fund for details
Removing template package using npm...

removed 1 package, and audited 1545 packages in 6s

261 packages are looking for funding
run npm fund for details

8 vulnerabilities (2 moderate, 6 high)

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.

Created git commit.

Success! Created mern-stack at C:\Users\LENOVO\Desktop\programing_Files\node_Files\learing_react\mern-stack
Inside that directory, you can run several commands:

npm start
Starts the development server.

npm run build
Bundles the app into static files for production.

npm test
Starts the test runner.

npm run eject
Removes this tool and copies build dependencies, configuration files
and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

cd mern-stack
npm start

Happy hacking!

PS C:\cd .\mern-stack
PS C:\mern-stack> npm fund
[email protected]
├─┬ https://github.com/chalk/chalk?sponsor=1
│ │ └── [email protected]
│ └── https://github.com/chalk/ansi-styles?sponsor=1
│ └── [email protected], [email protected], [email protected]
├── https://github.com/sponsors/jonschlinkert
│ └── [email protected]
├── https://github.com/sponsors/sibiraj-s
│ └── [email protected]
├── https://github.com/sponsors/ljharb
│ └── [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
├── https://opencollective.com/babel
│ └── @babel/[email protected]
├─┬ https://github.com/sponsors/gregberge
│ │ └── @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected], @svgr/[email protected]
│ └── https://opencollective.com/core-js
│ └── [email protected], [email protected], [email protected]
├── https://opencollective.com/browserslist
│ └── [email protected], [email protected], [email protected]
├── https://opencollective.com/webpack
│ └── [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
├─┬ https://opencollective.com/eslint
│ │ └── [email protected], @eslint/[email protected], [email protected], [email protected], [email protected]
│ ├── https://github.com/sponsors/nzakas
│ │ └── @humanwhocodes/[email protected]
│ └── https://github.com/sponsors/isaacs
│ └── [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
├─┬ https://opencollective.com/html-webpack-plugin
│ │ └── [email protected]
│ └── https://github.com/fb55/htmlparser2?sponsor=1
│ └── [email protected]
├── https://opencollective.com/postcss/
│ └── [email protected], [email protected], [email protected], [email protected], [email protected]
├─┬ https://opencollective.com/csstools
│ │ └── [email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], @csstools/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
│ └── https://ko-fi.com/mrcgrtz
│ └── [email protected]
├── https://github.com/sponsors/mdevils
│ └── [email protected]
├── https://github.com/chalk/supports-color?sponsor=1
│ └── [email protected]
├── https://github.com/avajs/find-cache-dir?sponsor=1
│ └── [email protected]
├── https://opencollective.com/typescript-eslint
│ └── @typescript-eslint/[email protected], @typescript-eslint/[email protected], @typescript-eslint/[email protected], @typescript-eslint/[email protected], @typescript-eslint/[email protected], @typescript-eslint/[email protected], @typescript-eslint/[email protected], @typescript-eslint/[email protected], @typescript-eslint/[email protected]
├── https://github.com/sindresorhus/emittery?sponsor=1
│ └── [email protected]
├── https://github.com/sindresorhus/execa?sponsor=1
│ └── [email protected]
├─┬ https://github.com/chalk/strip-ansi?sponsor=1
│ │ └── [email protected]
│ └── https://github.com/chalk/ansi-regex?sponsor=1
│ └── [email protected]
├── https://opencollective.com/immer
│ └── [email protected]
└── https://paulmillr.com/funding/
└── [email protected]

PS C:\mern-stack> npm install react-scripts@latest

up to date, audited 1545 packages in 4s

261 packages are looking for funding
run npm fund for details

8 vulnerabilities (2 moderate, 6 high)

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.
PS C:\mern-stack> npm audit

npm audit report

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of resolve-url-loader
node_modules/react-scripts

postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - GHSA-7fh5-64p2-3v2j
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader

8 vulnerabilities (2 moderate, 6 high)

To address all issues (including breaking changes), run:
npm audit fix --force

@bharat407
Copy link

Run npm audit fix --force

@harish00506
Copy link
Author

i have runed it also same

@ghost
Copy link

ghost commented Aug 13, 2024

try this solution: #13607 (comment)

@HiickFG
Copy link

HiickFG commented Jan 7, 2025

I have this PR (#13778), which could hopefully fix it without having to use overrides, etc.

I was having exactly the same on my app. Once I updated the react-scripts package to use latest dependencies on the places where those vulnerable package versions were used, I then got 0 vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants