npx create-react-app 9 vulnerabilities (3 moderate, 6 high) #17138
Description
Describe the bug
While I trying to initiate and install node modules using "npx create-react-app" and auditing uisng "npm audit", it gives below issues:
npm audit report
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=0.1.0
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - GHSA-7fh5-64p2-3v2j
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
webpack-dev-server <=5.2.0
Severity: moderate
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser - GHSA-9jgg-88mc-972h
webpack-dev-server users' source code may be stolen when they access a malicious web site - GHSA-4v9v-hfq4-rm2v
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/webpack-dev-server
9 vulnerabilities (3 moderate, 6 high)
To address all issues (including breaking changes), run:
npm audit fix --force
Did you try recovering your dependencies?
I've tried fixing normally and forcefully as well, fixing normally did nothing but fixing forcefully modify the "react-scripts" version to 0.0.0.0 .
Have tried re-installing npm after removing "package-lock.json" & "npm_modules" folder, found nothing to be move with.
Which terms did you search for in User Guide?
Search with the same term "npx create-react-app audit error fix" but couldn't found anything helpful.
Also, I get to know this issue is too old but React or Facebook team didn't care to fix this issue, IDK why ?
Environment
Environment Info:
current version of create-react-app: 5.1.0
running from C:\Users\admin\AppData\Local\npm-cache_npx\c67e74de0542c87c\node_modules\create-react-app
System:
OS: Windows 11 10.0.22631
CPU: (8) x64 Intel(R) Core(TM) i7-8665U CPU @ 1.90GHz
Binaries:
Node: 22.17.1 - C:\Program Files\nodejs\node.EXE
Yarn: Not Found
npm: 10.9.2 - C:\Program Files\nodejs\npm.CMD
Browsers:
Chrome: Not Found
Edge: Chromium (139.0.3405.125)
Internet Explorer: 11.0.22621.3527
npmPackages:
react: ^19.1.1 => 19.1.1
react-dom: ^19.1.1 => 19.1.1
react-scripts: 5.0.1 => 5.0.1
npmGlobalPackages:
create-react-app: Not Found
Steps to reproduce
- npx create-react-app
- npm audit
- npm audit
Expected behavior
There shouldn't be any vulnerabilities errors there in just installing node modules. It's a core bug not any other package or libraries
Actual behavior
Getting "9 vulnerabilities (3 moderate, 6 high)" issue by just installing NPM package using create-react-app
What happens if you skip this step?
As I skip this issue, there might not be any issue in empty node environment, but I tried installing MUI library and it broke.
