search

facebook / create-react-app

Set up a modern web app by running one command.
https://create-react-app.dev
MIT License
102.62k stars 26.8k forks source link

Npx create-react-app: 8 vulnerabilities (2 moderate, 6 high) #13607

Open josegabrielc opened 3 months ago

josegabrielc commented 3 months ago

Describe the bug

When I create a new npx create-react-app application and install any dependencies I receive the message: 8 vulnerabilities (2 moderate, 6 high)

Did you try recovering your dependencies?

I've already started other projects from scratch and also performed global npm updates. Unsuccessful.

Environment

Environment Info:

current version of create-react-app: 5.0.1 running from C:\Users\joseg\AppData\Local\npm-cache_npx\c67e74de0542c87c\node_modules\create-react-app

System: OS: Windows 11 10.0.22631 CPU: (16) x64 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz Binaries: Node: 22.2.0 - C:\Program Files\nodejs\node.EXE Yarn: Not Found npm: 10.8.1 - C:\Program Files\nodejs\npm.CMD Browsers: Chrome: Not Found Edge: Chromium (125.0.2535.92) Internet Explorer: 11.0.22621.3527 npmPackages: react: ^18.3.1 => 18.3.1 react-dom: ^18.3.1 => 18.3.1 react-scripts: 5.0.1 => 5.0.1 npmGlobalPackages: create-react-app: Not Found

Steps to reproduce

  1. npx create-react-app .

Expected behavior

The correct thing would be not to show any type of error.

Actual behavior

Imagem from error: image

After run npm fund

image

samiul123 commented 3 months ago

Can I take this issue?

HaiJunCai8 commented 3 months ago

Has this issue been resolved? I am now encountering the same problem. After installing react-scripts@5.0.1, a security vulnerability has emerged, and it urgently needs to be addressed.

nuxy commented 3 months ago

Experiencing the same issue when creating a new TypeScript application.

$ create-react-app project --template
Creating a new React app in /home/work/project.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template-typescript...

added 1482 packages in 32s

262 packages are looking for funding
  run `npm fund` for details

Initialized a git repository.

Installing template dependencies using npm...

added 41 packages, removed 1 package, and changed 2 packages in 6s

262 packages are looking for funding
  run `npm fund` for details

We detected TypeScript in your project (src/App.test.tsx) and created a tsconfig.json file for you.

Your tsconfig.json has been populated with default values.

Removing template package using npm...

removed 1 package, and audited 1522 packages in 3s

262 packages are looking for funding
  run `npm fund` for details

8 vulnerabilities (2 moderate, 6 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Any installs beyond this point are met with the same error above.

HaiJunCai8 commented 3 months ago

The following code can be added to the package.json file to resolve the issue:

"overrides": { "react-scripts": { "@svgr/webpack": "8.1.0", "typescript": "4.9.5", "postcss": "8.4.38" } }

anwarattiq commented 2 months ago

Facing this issue after creating npx create react app . please help me to resolve image

Alama32 commented 2 months ago

Exactement le même problème, que ce soit avec React 18.0.0. que 18.3.1. l'audit fix ne change rien et audit fix --force, démoli tout, énormément plus d'erreurs, et application inutilisable. image

Alama32 commented 2 months ago

Le code suivant peut être ajouté au fichier package.json pour résoudre le problème :

"remplace" : { "react-scripts": { "@svgr/webpack": "8.1.0", "typescript": "4.9.5", "postcss": "8.4.38" } }

Ca ne fonctionne pas pour moi, ce code me donner des erreur de lint

josegabrielc commented 2 months ago

The following code can be added to the package.json file to resolve the issue:

"overrides": { "react-scripts": { "@svgr/webpack": "8.1.0", "typescript": "4.9.5", "postcss": "8.4.38" } }

By adding these rules to package.json I no longer have errors reported. Why doesn't react itself update these libs in the current version of react-scripts? Are they too busy in v19?

For those who couldn't:

  1. Delete node_modules and package-lock.json
  2. Add the code block like this: image
  3. Run "npm install" on cmd
devilphenom commented 4 weeks ago

Client Vulnerabilities:

To address the 8 vulnerabilities, I updated the package.json with the following overrides and then reinstalled the dependencies:

"overrides": { "react-scripts": { "@svgr/webpack": "8.1.0", "typescript": "4.9.5", "postcss": "8.4.38" } }

This action resolved the vulnerabilities.

Screenshot 2024-09-08 172410

JhoanMuriCh commented 2 weeks ago

Se puede agregar el siguiente código al archivo package.json para resolver el problema: "anulaciones": { "react-scripts": { "@svgr/webpack": "8.1.0", "typescript": "4.9.5", "postcss": "8.4.38" } }

Al agregar estas reglas a package.json, ya no se informan más errores. ¿Por qué React no actualiza estas bibliotecas en la versión actual de React-Scripts? ¿Están demasiado ocupadas en la versión 19?

Para aquellos que no pudieron:

  1. Eliminar node_modules y package-lock.json
  2. Añade el bloque de código de la siguiente manera: imagen
  3. Ejecute "npm install" en cmd

Thanks, i could able to solve all the vulnerabilities.