hello-world doesn't run; I get ERR_OSSL_EVP_UNSUPPORTED instead

[mscheper]

It's been a while since I've worked with React, so I bought this book and am following Chapter 1 on my Linux machine. I'm running Mint 20, and used nvm 0.39.0 to install node v17.0.1.

I'm not sure I've really felt 'JavaScript fatigue', but starting new React projects has been a gauntlet in the past, so I was excited when I read about create-react-app. It hasn't worked out for me, though, and I haven't found any more info about this hello-world app. Can you tell me what's wrong, or where to go for help?

$ create-react-app hello-world --template typescript

Creating a new React app in /home/mscheper/git/r17dpabp/hello-world.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template-typescript...

added 1890 packages, and audited 1891 packages in 21s

152 packages are looking for funding
  run `npm fund` for details

58 vulnerabilities (16 moderate, 40 high, 2 critical)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

Initialized a git repository.

Installing template dependencies using npm...

added 49 packages, changed 1 package, and audited 1940 packages in 4s

153 packages are looking for funding
  run `npm fund` for details

58 vulnerabilities (16 moderate, 40 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

We detected TypeScript in your project (src/App.test.tsx) and created a tsconfig.json file for you.

Your tsconfig.json has been populated with default values.

Removing template package using npm...

removed 1 package, and audited 1939 packages in 5s

153 packages are looking for funding
  run `npm fund` for details

58 vulnerabilities (16 moderate, 40 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Created git commit.

Success! Created hello-world at /home/mscheper/git/r17dpabp/hello-world
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd hello-world
  npm start

Happy hacking!

58 vulnerabilities sounds pretty bad. Sure enough, when I did cd hello-world and npm start, after some stuff flashed in my terminal and my scroll buffer got cleared, 😒 I got this:

Starting the development server...

/home/mscheper/git/r17dpabp/hello-world/node_modules/react-scripts/scripts/start.js:19
  throw err;
  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/home/mscheper/git/r17dpabp/hello-world/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/home/mscheper/git/r17dpabp/hello-world/node_modules/webpack/lib/NormalModule.js:417:16)
    at /home/mscheper/git/r17dpabp/hello-world/node_modules/webpack/lib/NormalModule.js:452:10
    at /home/mscheper/git/r17dpabp/hello-world/node_modules/webpack/lib/NormalModule.js:323:13
    at /home/mscheper/git/r17dpabp/hello-world/node_modules/loader-runner/lib/LoaderRunner.js:367:11
    at /home/mscheper/git/r17dpabp/hello-world/node_modules/loader-runner/lib/LoaderRunner.js:233:18
    at context.callback (/home/mscheper/git/r17dpabp/hello-world/node_modules/loader-runner/lib/LoaderRunner.js:111:13)
    at /home/mscheper/git/r17dpabp/hello-world/node_modules/babel-loader/lib/index.js:59:103 {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

Node.js v17.0.1

I tried websearching for this error, and looked for a repo for the hello-world app, but didn't find anything that looked helpful.

Then I tried:

$npm audit fix --force

npm WARN using --force Recommended protections disabled.
npm WARN audit Updating react-scripts to 3.4.4,which is a SemVer major change.
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-scripts@3.4.4
npm WARN Found: typescript@4.4.4
npm WARN node_modules/typescript
npm WARN   typescript@"^4.4.4" from the root project
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm WARN node_modules/react-scripts
npm WARN   react-scripts@"3.4.4" from the root project
npm WARN 
npm WARN Conflicting peer dependency: typescript@3.9.10
npm WARN node_modules/typescript
npm WARN   peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm WARN   node_modules/react-scripts
npm WARN     react-scripts@"3.4.4" from the root project
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()
npm WARN deprecated eslint-loader@3.0.3: This loader has been deprecated. Please use eslint-webpack-plugin
npm WARN deprecated html-webpack-plugin@4.0.0-beta.11: please switch to a stable version
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 388 packages, removed 459 packages, changed 239 packages, and audited 1869 packages in 23s

99 packages are looking for funding
  run `npm fund` for details

# npm audit report

ansi-html  *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/ansi-html
  webpack-dev-server  2.0.0-beta - 4.1.0
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of http-proxy-middleware
  Depends on vulnerable versions of yargs
  node_modules/webpack-dev-server
    react-scripts  >=0.8.0
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of @typescript-eslint/eslint-plugin
    Depends on vulnerable versions of eslint
    Depends on vulnerable versions of eslint-config-react-app
    Depends on vulnerable versions of eslint-loader
    Depends on vulnerable versions of jest-environment-jsdom-fourteen
    Depends on vulnerable versions of jest-watch-typeahead
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/jest-config/node_modules/ansi-regex
node_modules/jest-each/node_modules/ansi-regex
node_modules/jest-jasmine2/node_modules/ansi-regex
node_modules/jest-leak-detector/node_modules/ansi-regex
node_modules/jest-matcher-utils/node_modules/ansi-regex
node_modules/jest-snapshot/node_modules/ansi-regex
node_modules/jest-validate/node_modules/ansi-regex
node_modules/react-dev-utils/node_modules/inquirer/node_modules/ansi-regex
node_modules/string-length/node_modules/ansi-regex
node_modules/strip-ansi/node_modules/ansi-regex
  pretty-format  20.1.0-alpha.1 - 25.0.0
  Depends on vulnerable versions of ansi-regex
  node_modules/jest-config/node_modules/pretty-format
  node_modules/jest-each/node_modules/pretty-format
  node_modules/jest-jasmine2/node_modules/pretty-format
  node_modules/jest-leak-detector/node_modules/pretty-format
  node_modules/jest-matcher-utils/node_modules/pretty-format
  node_modules/jest-snapshot/node_modules/pretty-format
  node_modules/jest-validate/node_modules/pretty-format
    jest-config  20.1.0-alpha.1 - 24.9.0
    Depends on vulnerable versions of @jest/test-sequencer
    Depends on vulnerable versions of babel-jest
    Depends on vulnerable versions of jest-jasmine2
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of pretty-format
    node_modules/jest-config
      @jest/core  <=25.5.4
      Depends on vulnerable versions of @jest/reporters
      Depends on vulnerable versions of jest-config
      Depends on vulnerable versions of strip-ansi
      node_modules/@jest/core
        jest-cli  20.1.0-alpha.1 - 25.0.0
        Depends on vulnerable versions of @jest/core
        Depends on vulnerable versions of jest-config
        Depends on vulnerable versions of jest-validate
        Depends on vulnerable versions of yargs
        node_modules/jest-cli
          jest  24.2.0-alpha.0 - 24.9.0
          Depends on vulnerable versions of jest-cli
          node_modules/jest
      jest-runner  21.0.0-alpha.1 - 24.9.0
      Depends on vulnerable versions of @jest/environment
      Depends on vulnerable versions of jest-config
      Depends on vulnerable versions of jest-haste-map
      Depends on vulnerable versions of jest-jasmine2
      Depends on vulnerable versions of jest-leak-detector
      node_modules/jest-runner
        @jest/test-sequencer  <=24.9.0
        Depends on vulnerable versions of jest-runner
        node_modules/@jest/test-sequencer
      jest-runtime  20.1.0-alpha.1 - 25.0.0
      Depends on vulnerable versions of @jest/transform
      Depends on vulnerable versions of jest-config
      Depends on vulnerable versions of jest-haste-map
      Depends on vulnerable versions of jest-snapshot
      Depends on vulnerable versions of jest-validate
      Depends on vulnerable versions of yargs
      node_modules/jest-runtime
        @jest/reporters  <=26.4.0
        Depends on vulnerable versions of jest-runtime
        Depends on vulnerable versions of node-notifier
        Depends on vulnerable versions of string-length
        node_modules/@jest/reporters
        jest-jasmine2  20.1.0-alpha.1 - 24.9.0
        Depends on vulnerable versions of jest-each
        Depends on vulnerable versions of jest-matcher-utils
        Depends on vulnerable versions of jest-message-util
        Depends on vulnerable versions of jest-runtime
        Depends on vulnerable versions of pretty-format
        node_modules/jest-jasmine2
    jest-diff  20.1.0-alpha.1 - 24.9.0
    Depends on vulnerable versions of pretty-format
    node_modules/jest-matcher-utils/node_modules/jest-diff
    node_modules/jest-snapshot/node_modules/jest-diff
      jest-matcher-utils  20.1.0-alpha.1 - 24.9.0
      Depends on vulnerable versions of jest-diff
      Depends on vulnerable versions of pretty-format
      node_modules/jest-matcher-utils
        expect  21.0.0-beta.1 - 24.9.0
        Depends on vulnerable versions of jest-matcher-utils
        Depends on vulnerable versions of jest-message-util
        node_modules/expect
          jest-snapshot  20.1.0-alpha.1 - 24.9.0
          Depends on vulnerable versions of expect
          Depends on vulnerable versions of jest-message-util
          Depends on vulnerable versions of pretty-format
          node_modules/jest-snapshot
            jest-resolve-dependencies  23.0.0-alpha.5 - 24.9.0
            Depends on vulnerable versions of jest-snapshot
            node_modules/jest-resolve-dependencies
    jest-each  23.0.1 - 24.9.0
    Depends on vulnerable versions of jest-util
    Depends on vulnerable versions of pretty-format
    node_modules/jest-each
    jest-leak-detector  21.3.0-beta.9 - 24.9.0
    Depends on vulnerable versions of pretty-format
    node_modules/jest-leak-detector
    jest-validate  20.1.0-alpha.1 - 24.9.0
    Depends on vulnerable versions of pretty-format
    node_modules/jest-validate
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/react-dev-utils/node_modules/inquirer/node_modules/strip-ansi
  node_modules/string-length/node_modules/strip-ansi
  node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/cliui
      yargs  10.1.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of string-width
      node_modules/yargs
        webpack-dev-server  2.0.0-beta - 4.1.0
        Depends on vulnerable versions of ansi-html
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of http-proxy-middleware
        Depends on vulnerable versions of yargs
        node_modules/webpack-dev-server
          react-scripts  >=0.8.0
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of @typescript-eslint/eslint-plugin
          Depends on vulnerable versions of eslint
          Depends on vulnerable versions of eslint-config-react-app
          Depends on vulnerable versions of eslint-loader
          Depends on vulnerable versions of jest-environment-jsdom-fourteen
          Depends on vulnerable versions of jest-watch-typeahead
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of resolve-url-loader
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
    eslint  4.5.0 - 7.15.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of table
    node_modules/eslint
      @typescript-eslint/eslint-plugin  <=3.0.0-alpha.27
      Depends on vulnerable versions of @typescript-eslint/parser
      Depends on vulnerable versions of eslint
      node_modules/@typescript-eslint/eslint-plugin
        eslint-config-react-app  3.0.0-next.03604a46 - 5.2.1
        Depends on vulnerable versions of @typescript-eslint/eslint-plugin
        Depends on vulnerable versions of @typescript-eslint/parser
        Depends on vulnerable versions of eslint
        node_modules/eslint-config-react-app
      @typescript-eslint/parser  1.1.1-alpha.0 - 2.34.1-alpha.2
      Depends on vulnerable versions of eslint
      node_modules/@typescript-eslint/parser
      eslint-loader  3.0.0 - 3.0.4
      Depends on vulnerable versions of eslint
      node_modules/eslint-loader
    inquirer  3.2.0 - 7.0.4
    Depends on vulnerable versions of strip-ansi
    node_modules/react-dev-utils/node_modules/inquirer
      react-dev-utils  0.4.0 - 12.0.0-next.37
      Depends on vulnerable versions of browserslist
      Depends on vulnerable versions of fork-ts-checker-webpack-plugin
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of immer
      Depends on vulnerable versions of inquirer
      node_modules/react-dev-utils
    jest-watch-typeahead  <=0.5.0
    Depends on vulnerable versions of jest-watcher
    Depends on vulnerable versions of string-length
    Depends on vulnerable versions of strip-ansi
    node_modules/jest-watch-typeahead
    string-length  2.0.0 - 3.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/jest-watch-typeahead/node_modules/string-length
    node_modules/string-length
      jest-watcher  <=26.0.0-alpha.2
      Depends on vulnerable versions of jest-util
      Depends on vulnerable versions of string-length
      node_modules/jest-watcher
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/cliui/node_modules/string-width
    node_modules/table/node_modules/string-width
    node_modules/wrap-ansi/node_modules/string-width
    node_modules/yargs/node_modules/string-width
      table  4.0.2 - 5.4.6
      Depends on vulnerable versions of string-width
      node_modules/table
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/wrap-ansi

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  0.4.0 - 12.0.0-next.37
  Depends on vulnerable versions of browserslist
  Depends on vulnerable versions of fork-ts-checker-webpack-plugin
  Depends on vulnerable versions of globby
  Depends on vulnerable versions of immer
  Depends on vulnerable versions of inquirer
  node_modules/react-dev-utils
    react-scripts  >=0.8.0
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of @typescript-eslint/eslint-plugin
    Depends on vulnerable versions of eslint
    Depends on vulnerable versions of eslint-config-react-app
    Depends on vulnerable versions of eslint-loader
    Depends on vulnerable versions of jest-environment-jsdom-fourteen
    Depends on vulnerable versions of jest-watch-typeahead
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/fast-glob/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of glob-parent
  Depends on vulnerable versions of readdirp
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.0.0-alpha.0 - 5.0.0-rc.6
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of watchpack
        node_modules/react-scripts/node_modules/webpack
        node_modules/react-scripts/node_modules/webpack/node_modules/webpack
        node_modules/webpack
          react-scripts  >=0.8.0
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of @typescript-eslint/eslint-plugin
          Depends on vulnerable versions of eslint
          Depends on vulnerable versions of eslint-config-react-app
          Depends on vulnerable versions of eslint-loader
          Depends on vulnerable versions of jest-environment-jsdom-fourteen
          Depends on vulnerable versions of jest-watch-typeahead
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of resolve-url-loader
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
    webpack-dev-server  2.0.0-beta - 4.1.0
    Depends on vulnerable versions of ansi-html
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of http-proxy-middleware
    Depends on vulnerable versions of yargs
    node_modules/webpack-dev-server
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  Depends on vulnerable versions of micromatch
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
      react-dev-utils  0.4.0 - 12.0.0-next.37
      Depends on vulnerable versions of browserslist
      Depends on vulnerable versions of fork-ts-checker-webpack-plugin
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of immer
      Depends on vulnerable versions of inquirer
      node_modules/react-dev-utils

immer  <=9.0.5
Severity: critical
Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h
Prototype Pollution in immer - https://github.com/advisories/GHSA-9qmh-276g-x5pj
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/immer
  react-dev-utils  0.4.0 - 12.0.0-next.37
  Depends on vulnerable versions of browserslist
  Depends on vulnerable versions of fork-ts-checker-webpack-plugin
  Depends on vulnerable versions of globby
  Depends on vulnerable versions of immer
  Depends on vulnerable versions of inquirer
  node_modules/react-dev-utils
    react-scripts  >=0.8.0
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of @typescript-eslint/eslint-plugin
    Depends on vulnerable versions of eslint
    Depends on vulnerable versions of eslint-config-react-app
    Depends on vulnerable versions of eslint-loader
    Depends on vulnerable versions of jest-environment-jsdom-fourteen
    Depends on vulnerable versions of jest-watch-typeahead
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

node-notifier  <8.0.1
Severity: moderate
OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p
fix available via `npm audit fix`
node_modules/node-notifier
  @jest/reporters  <=26.4.0
  Depends on vulnerable versions of jest-runtime
  Depends on vulnerable versions of node-notifier
  Depends on vulnerable versions of string-length
  node_modules/@jest/reporters
    @jest/core  <=25.5.4
    Depends on vulnerable versions of @jest/reporters
    Depends on vulnerable versions of jest-config
    Depends on vulnerable versions of strip-ansi
    node_modules/@jest/core
      jest-cli  20.1.0-alpha.1 - 25.0.0
      Depends on vulnerable versions of @jest/core
      Depends on vulnerable versions of jest-config
      Depends on vulnerable versions of jest-validate
      Depends on vulnerable versions of yargs
      node_modules/jest-cli
        jest  24.2.0-alpha.0 - 24.9.0
        Depends on vulnerable versions of jest-cli
        node_modules/jest

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=0.8.0
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of @typescript-eslint/eslint-plugin
          Depends on vulnerable versions of eslint
          Depends on vulnerable versions of eslint-config-react-app
          Depends on vulnerable versions of eslint-loader
          Depends on vulnerable versions of jest-environment-jsdom-fourteen
          Depends on vulnerable versions of jest-watch-typeahead
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of resolve-url-loader
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin

postcss  7.0.0 - 7.0.35
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  3.0.1 - 3.1.3 || 4.0.0-alpha.1 - 4.0.0-beta.2
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader
    react-scripts  >=0.8.0
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of @typescript-eslint/eslint-plugin
    Depends on vulnerable versions of eslint
    Depends on vulnerable versions of eslint-config-react-app
    Depends on vulnerable versions of eslint-loader
    Depends on vulnerable versions of jest-environment-jsdom-fourteen
    Depends on vulnerable versions of jest-watch-typeahead
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

react-dev-utils  0.4.0 - 12.0.0-next.37
Severity: high
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/react-dev-utils
  react-scripts  >=0.8.0
  Depends on vulnerable versions of @svgr/webpack
  Depends on vulnerable versions of @typescript-eslint/eslint-plugin
  Depends on vulnerable versions of eslint
  Depends on vulnerable versions of eslint-config-react-app
  Depends on vulnerable versions of eslint-loader
  Depends on vulnerable versions of jest-environment-jsdom-fourteen
  Depends on vulnerable versions of jest-watch-typeahead
  Depends on vulnerable versions of react-dev-utils
  Depends on vulnerable versions of resolve-url-loader
  Depends on vulnerable versions of webpack
  Depends on vulnerable versions of webpack-dev-server
  node_modules/react-scripts

set-value  <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/set-value
  cache-base  >=0.7.0
  Depends on vulnerable versions of set-value
  Depends on vulnerable versions of union-value
  node_modules/cache-base
    base  >=0.7.0
    Depends on vulnerable versions of cache-base
    node_modules/base
      snapdragon  0.6.0 - 0.10.1
      Depends on vulnerable versions of base
      node_modules/snapdragon
        braces  2.0.0 - 2.3.2
        Depends on vulnerable versions of snapdragon
        node_modules/micromatch/node_modules/braces
        node_modules/watchpack-chokidar2/node_modules/braces
        node_modules/webpack-dev-server/node_modules/braces
          chokidar  1.0.0-rc1 - 2.1.8
          Depends on vulnerable versions of braces
          Depends on vulnerable versions of glob-parent
          Depends on vulnerable versions of readdirp
          node_modules/watchpack-chokidar2/node_modules/chokidar
          node_modules/webpack-dev-server/node_modules/chokidar
            watchpack-chokidar2  *
            Depends on vulnerable versions of chokidar
            node_modules/watchpack-chokidar2
              watchpack  1.7.2 - 1.7.5
              Depends on vulnerable versions of watchpack-chokidar2
              node_modules/watchpack
                webpack  4.0.0-alpha.0 - 5.0.0-rc.6
                Depends on vulnerable versions of micromatch
                Depends on vulnerable versions of watchpack
                node_modules/react-scripts/node_modules/webpack
                node_modules/react-scripts/node_modules/webpack/node_modules/webpack
                node_modules/webpack
                  react-scripts  >=0.8.0
                  Depends on vulnerable versions of @svgr/webpack
                  Depends on vulnerable versions of @typescript-eslint/eslint-plugin
                  Depends on vulnerable versions of eslint
                  Depends on vulnerable versions of eslint-config-react-app
                  Depends on vulnerable versions of eslint-loader
                  Depends on vulnerable versions of jest-environment-jsdom-fourteen
                  Depends on vulnerable versions of jest-watch-typeahead
                  Depends on vulnerable versions of react-dev-utils
                  Depends on vulnerable versions of resolve-url-loader
                  Depends on vulnerable versions of webpack
                  Depends on vulnerable versions of webpack-dev-server
                  node_modules/react-scripts
            webpack-dev-server  2.0.0-beta - 4.1.0
            Depends on vulnerable versions of ansi-html
            Depends on vulnerable versions of chokidar
            Depends on vulnerable versions of http-proxy-middleware
            Depends on vulnerable versions of yargs
            node_modules/webpack-dev-server
        expand-brackets  1.0.0 - 2.1.4
        Depends on vulnerable versions of snapdragon
        node_modules/expand-brackets
        extglob  1.0.0 - 2.0.4
        Depends on vulnerable versions of snapdragon
        node_modules/extglob
        micromatch  3.0.0 - 3.1.10
        Depends on vulnerable versions of snapdragon
        node_modules/micromatch
          @jest/transform  <=24.9.0
          Depends on vulnerable versions of micromatch
          node_modules/@jest/transform
            @jest/environment  <=24.9.0
            Depends on vulnerable versions of @jest/transform
            node_modules/@jest/environment
              jest-environment-jsdom  24.2.0-alpha.0 - 24.9.0
              Depends on vulnerable versions of @jest/environment
              node_modules/jest-environment-jsdom
              jest-environment-jsdom-fourteen  >=1.0.0-alpha.0
              Depends on vulnerable versions of @jest/environment
              node_modules/jest-environment-jsdom-fourteen
              jest-environment-node  24.2.0-alpha.0 - 24.9.0
              Depends on vulnerable versions of @jest/environment
              node_modules/jest-environment-node
              jest-runner  21.0.0-alpha.1 - 24.9.0
              Depends on vulnerable versions of @jest/environment
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-jasmine2
              Depends on vulnerable versions of jest-leak-detector
              node_modules/jest-runner
                @jest/test-sequencer  <=24.9.0
                Depends on vulnerable versions of jest-runner
                node_modules/@jest/test-sequencer
                  jest-config  20.1.0-alpha.1 - 24.9.0
                  Depends on vulnerable versions of @jest/test-sequencer
                  Depends on vulnerable versions of babel-jest
                  Depends on vulnerable versions of jest-jasmine2
                  Depends on vulnerable versions of micromatch
                  Depends on vulnerable versions of pretty-format
                  node_modules/jest-config
                    @jest/core  <=25.5.4
                    Depends on vulnerable versions of @jest/reporters
                    Depends on vulnerable versions of jest-config
                    Depends on vulnerable versions of strip-ansi
                    node_modules/@jest/core
                      jest-cli  20.1.0-alpha.1 - 25.0.0
                      Depends on vulnerable versions of @jest/core
                      Depends on vulnerable versions of jest-config
                      Depends on vulnerable versions of jest-validate
                      Depends on vulnerable versions of yargs
                      node_modules/jest-cli
                        jest  24.2.0-alpha.0 - 24.9.0
                        Depends on vulnerable versions of jest-cli
                        node_modules/jest
                    jest-runtime  20.1.0-alpha.1 - 25.0.0
                    Depends on vulnerable versions of @jest/transform
                    Depends on vulnerable versions of jest-config
                    Depends on vulnerable versions of jest-haste-map
                    Depends on vulnerable versions of jest-snapshot
                    Depends on vulnerable versions of jest-validate
                    Depends on vulnerable versions of yargs
                    node_modules/jest-runtime
                      @jest/reporters  <=26.4.0
                      Depends on vulnerable versions of jest-runtime
                      Depends on vulnerable versions of node-notifier
                      Depends on vulnerable versions of string-length
                      node_modules/@jest/reporters
                      jest-jasmine2  20.1.0-alpha.1 - 24.9.0
                      Depends on vulnerable versions of jest-each
                      Depends on vulnerable versions of jest-matcher-utils
                      Depends on vulnerable versions of jest-message-util
                      Depends on vulnerable versions of jest-runtime
                      Depends on vulnerable versions of pretty-format
                      node_modules/jest-jasmine2
            babel-jest  24.2.0-alpha.0 - 24.9.0
            Depends on vulnerable versions of @jest/transform
            node_modules/babel-jest
          anymatch  2.0.0
          Depends on vulnerable versions of micromatch
          node_modules/jest-haste-map/node_modules/anymatch
          node_modules/sane/node_modules/anymatch
          node_modules/watchpack-chokidar2/node_modules/anymatch
          node_modules/webpack-dev-server/node_modules/anymatch
            jest-haste-map  23.2.0 || 24.0.0-alpha.0 - 26.6.2
            Depends on vulnerable versions of anymatch
            Depends on vulnerable versions of jest-util
            Depends on vulnerable versions of micromatch
            Depends on vulnerable versions of sane
            node_modules/jest-haste-map
          fast-glob  <=2.2.7
          Depends on vulnerable versions of glob-parent
          Depends on vulnerable versions of micromatch
          node_modules/fast-glob
            globby  8.0.0 - 9.2.0
            Depends on vulnerable versions of fast-glob
            node_modules/globby
              react-dev-utils  0.4.0 - 12.0.0-next.37
              Depends on vulnerable versions of browserslist
              Depends on vulnerable versions of fork-ts-checker-webpack-plugin
              Depends on vulnerable versions of globby
              Depends on vulnerable versions of immer
              Depends on vulnerable versions of inquirer
              node_modules/react-dev-utils
          fork-ts-checker-webpack-plugin  0.4.14 - 4.1.6
          Depends on vulnerable versions of micromatch
          node_modules/fork-ts-checker-webpack-plugin
          http-proxy-middleware  0.18.0 - 0.19.2
          Depends on vulnerable versions of micromatch
          node_modules/http-proxy-middleware
          jest-message-util  23.2.0 - 23.3.0 || 24.0.0-alpha.0 - 24.9.0
          Depends on vulnerable versions of micromatch
          node_modules/jest-message-util
            @jest/fake-timers  <=24.9.0
            Depends on vulnerable versions of jest-message-util
            node_modules/@jest/fake-timers
              jest-util  24.2.0-alpha.0 - 24.9.0
              Depends on vulnerable versions of @jest/fake-timers
              node_modules/jest-util
                jest-each  23.0.1 - 24.9.0
                Depends on vulnerable versions of jest-util
                Depends on vulnerable versions of pretty-format
                node_modules/jest-each
                jest-watcher  <=26.0.0-alpha.2
                Depends on vulnerable versions of jest-util
                Depends on vulnerable versions of string-length
                node_modules/jest-watcher
                  jest-watch-typeahead  <=0.5.0
                  Depends on vulnerable versions of jest-watcher
                  Depends on vulnerable versions of string-length
                  Depends on vulnerable versions of strip-ansi
                  node_modules/jest-watch-typeahead
            expect  21.0.0-beta.1 - 24.9.0
            Depends on vulnerable versions of jest-matcher-utils
            Depends on vulnerable versions of jest-message-util
            node_modules/expect
              jest-snapshot  20.1.0-alpha.1 - 24.9.0
              Depends on vulnerable versions of expect
              Depends on vulnerable versions of jest-message-util
              Depends on vulnerable versions of pretty-format
              node_modules/jest-snapshot
                jest-resolve-dependencies  23.0.0-alpha.5 - 24.9.0
                Depends on vulnerable versions of jest-snapshot
                node_modules/jest-resolve-dependencies
          readdirp  2.2.0 - 2.2.1
          Depends on vulnerable versions of micromatch
          node_modules/watchpack-chokidar2/node_modules/readdirp
          node_modules/webpack-dev-server/node_modules/readdirp
          sane  2.5.0 - 4.1.0
          Depends on vulnerable versions of micromatch
          node_modules/sane
        nanomatch  >=0.1.1
        Depends on vulnerable versions of snapdragon
        node_modules/nanomatch
  union-value  *
  Depends on vulnerable versions of set-value
  node_modules/union-value

84 vulnerabilities (39 moderate, 44 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Even more vulnerabilities now, but at least there's one less 'critical' one, and running the app produces a friendlier error message:

$ npm start

> hello-world@0.1.0 start
> react-scripts start

There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix locally.

The react-scripts package provided by Create React App requires a dependency:

  "webpack": "4.42.0"

Don't try to install it manually: your package manager does it automatically.
However, a different version of webpack was detected higher up in the tree:

  /home/mscheper/git/r17dpabp/hello-world/node_modules/webpack (version: 4.46.0) 

Manually installing incompatible versions is known to cause hard-to-debug issues.

If you would prefer to ignore this check, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That will permanently disable this message but you might encounter other issues.

To fix the dependency tree, try following the steps below in the exact order:

  1. Delete package-lock.json (not package.json!) and/or yarn.lock in your project folder.
  2. Delete node_modules in your project folder.
  3. Remove "webpack" from dependencies and/or devDependencies in the package.json file in your project folder.
  4. Run npm install or yarn, depending on the package manager you use.

In most cases, this should be enough to fix the problem.
If this has not helped, there are a few other things you can try:

  5. If you used npm, install yarn (http://yarnpkg.com/) and repeat the above steps with it instead.
     This may help because npm has known issues with package hoisting which may get resolved in future versions.

  6. Check if /home/mscheper/git/r17dpabp/hello-world/node_modules/webpack is outside your project directory.
     For example, you might have accidentally installed something in your home folder.

  7. Try running npm ls webpack in your project folder.
     This will tell you which other package (apart from the expected react-scripts) installed webpack.

If nothing else helps, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That would permanently disable this preflight check in case you want to proceed anyway.

P.S. We know this message is long but please read the steps above :-) We hope you find them helpful!

Friendly, but not entirely helpful, unfortunately. 😏 webpack isn't in hello-world/package.json, and I don't have it installed on my system.

I tried running npm install anyhow (step 4), and got this:

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: react-scripts@3.4.4
npm ERR! Found: typescript@4.4.4
npm ERR! node_modules/typescript
npm ERR!   typescript@"^4.4.4" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm ERR! node_modules/react-scripts
npm ERR!   react-scripts@"^3.4.4" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: typescript@3.9.10
npm ERR! node_modules/typescript
npm ERR!   peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm ERR!   node_modules/react-scripts
npm ERR!     react-scripts@"^3.4.4" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /home/mscheper/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/mscheper/.npm/_logs/2021-10-21T18_13_30_217Z-debug.log

Ah! I did install typescript on my system, because it listed as a requirement, earlier in the chapter. Maybe that was a mistake, so I removed it and tried again.

$ sudo apt remove node-typescript
[success]
$ rm package-lock.json 
rm: cannot remove 'package-lock.json': No such file or directory
$ rm -R node_modules
rm: cannot remove 'node_modules': No such file or directory
$ npm install
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: react-scripts@3.4.4
npm ERR! Found: typescript@4.4.4
npm ERR! node_modules/typescript
npm ERR!   typescript@"^4.4.4" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm ERR! node_modules/react-scripts
npm ERR!   react-scripts@"^3.4.4" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: typescript@3.9.10
npm ERR! node_modules/typescript
npm ERR!   peerOptional typescript@"^3.2.1" from react-scripts@3.4.4
npm ERR!   node_modules/react-scripts
npm ERR!     react-scripts@"^3.4.4" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /home/mscheper/.npm/eresolve-report.txt for a full report.
npm ERR! A complete log of this run can be found in:
npm ERR!     /home/mscheper/.npm/_logs/2021-10-21T18_16_19_189Z-debug.log

🤔 So typescript is still a problem.

I removed the entire hello-world directory structure and started all over again, and got exactly the same results, so removing the system typescript hasn't made a difference.

I installed yarn (step 5), but didn't really know how to use it, and since webpack wasn't in hello-world/package.json, I didn't delve deeper.

There is, however, a webpack subdirectory under hello-world/node_modules (step 6), which I can't explain, but it looks like a pretty normal package directory to me.

As for step 7:

$ npm ls webpack
hello-world@0.1.0 /home/mscheper/git/r17dpabp/hello-world
└─┬ react-scripts@3.4.4
  ├─┬ babel-loader@8.1.0
  │ └─┬ webpack@4.46.0
  │   └─┬ terser-webpack-plugin@1.4.5
  │     └── webpack@4.46.0 deduped
  ├─┬ css-loader@3.4.2
  │ └── webpack@4.46.0 deduped
  ├─┬ eslint-loader@3.0.3
  │ └── webpack@4.46.0 deduped
  ├─┬ file-loader@4.3.0
  │ └── webpack@4.46.0 deduped
  ├─┬ html-webpack-plugin@4.0.0-beta.11
  │ └── webpack@4.46.0 deduped
  ├─┬ mini-css-extract-plugin@0.9.0
  │ └── webpack@4.46.0 deduped
  ├─┬ optimize-css-assets-webpack-plugin@5.0.3
  │ └── webpack@4.46.0 deduped
  ├─┬ sass-loader@8.0.2
  │ └── webpack@4.46.0 deduped
  ├─┬ terser-webpack-plugin@2.3.8
  │ └── webpack@4.46.0 deduped
  ├─┬ url-loader@2.3.0
  │ └── webpack@4.46.0 deduped
  ├─┬ webpack-dev-server@3.11.0
  │ ├─┬ webpack-dev-middleware@3.7.3
  │ │ └── webpack@4.46.0 deduped
  │ └── webpack@4.46.0 deduped
  ├─┬ webpack-manifest-plugin@2.2.0
  │ └── webpack@4.46.0 deduped
  ├─┬ webpack@4.42.0
  │ └─┬ terser-webpack-plugin@1.4.5
  │   └── webpack@4.46.0
  └─┬ workbox-webpack-plugin@4.3.1
    └── webpack@4.46.0 deduped

I don't know what this indicates, though.

I also tried creating a hello-world/.env file and putting SKIP_PREFLIGHT_CHECK=true in it. That just made the ERR_OSSL_EVP_UNSUPPORTED error come up again. I've also tried npm audit fix --force a few more times, but that only increased the number of vulnerabilities.

I'd love for this to work, because it sounds simpler than the way I've created React projects in the past, and hopefully easier for other devs to get set up on the same project. Any ideas?

[ericcAtGitHub]

1. Instead of using "create-react-app hello-world --template typescript", try the following: "npx create-react-app hello-world --template typescript"

2. About the vulnerabilities issue, see the info available at https://github.com/facebook/create-react-app/issues/11174

[mscheper]

@ericcAtGitHub: Thanks for your comment.

Prepending the command in the book with npx didn't make any difference at all, unfortunately; I'm still seeing ERR_OSSL_EVP_UNSUPPORTED. Any idea what that means?

re the issue you linked to: I tried moving react-scripts to devDependencies and running with the --production switch, and this also didn't change anything. I kept reading the thread but honestly got lost. Is the upshot that we should just ignore the vulnerabilities? If so, I hope this will be mentioned in a future edition of the book, because they do look concerning for people new to this tool.

[ericcAtGitHub]

@mscheper Sorry that my haste solution doesn't help for the first issue. For the second issue, the info convinces me to ignore those vulnerabilities in the meantime (surely this is not from an expert's view).

[TheFalseFriend]

@mscheper - not sure if you ever ended up with a resolution, but it seems the error regarding ERR_OSSL_EVP_UNSUPPORTED relates to some changes in Node 17 (pertaining to SSL usage). Assuming you're using nvm, I'll bet if you do e.g.:

$ nvm use 16

...and retry whatever you were doing previously that triggered the error, it won't appear this time around (consider the security implication of such a quick fix, though - i.e. it sounds like Node 17 is enforcing a tighter security requirement). See e.g. this SO post for some further reference.

Regarding the other security errors: as mentioned in this comment, see https://github.com/facebook/create-react-app/issues/11174.

[mscheper]

@TheFalseFriend: I'm on another new project now, so I just gave it another go, and yes, npx create-react-app hello-world --template typescript now works. There was a deprecation warning and '8 moderate severity vulnerabilities', but the web page shown on p.20 of the book appeared for me, unlike when I created this issue. 🎈

@ericcAtGitHub: I suggest future editions of the book direct readers to install a particular version, known to be working. It would also be helpful to suggest where to go for help, if it doesn't.

And as I said in this comment, I got lost wading through the comments in issue 11174, but it seems to imply that these 'security issues' should just be ignored. Since this is counterintuitive, it is also worth mentioning in the book, I reckon. As a very experienced developer, I've learnt to take web security seriously, and I'm sure those warnings would be scary for anyone starting out as well.

Thanks, both of you, for your help.