Error in installing firebase through npm while working in react project

Question

> npm install firebase      

added 13 packages, changed 1 package, and audited 2276 packages in 7s

148 packages are looking for funding
  run `npm fund` for details

70 vulnerabilities (24 moderate, 44 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

 ~/web dev/web_projects/github/youtube-disney-clone  master !10 ?4                                          8s 
> npm audit               
# npm audit report

ansi-html  *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@3.4.4, which is a breaking change
node_modules/ansi-html
  @pmmmwh/react-refresh-webpack-plugin  <=0.5.0-rc.6
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of webpack-dev-server
  node_modules/@pmmmwh/react-refresh-webpack-plugin
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of babel-jest
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts
  webpack-dev-server  2.0.0-beta - 4.1.0
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of http-proxy-middleware
  Depends on vulnerable versions of yargs
  node_modules/webpack-dev-server

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install firebase-tools@7.1.1, which is a breaking change
node_modules/inquirer/node_modules/ansi-regex
node_modules/inquirer/node_modules/string-width/node_modules/ansi-regex
node_modules/ora/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/cliui/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/inquirer/node_modules/string-width/node_modules/strip-ansi
  node_modules/inquirer/node_modules/strip-ansi
  node_modules/ora/node_modules/strip-ansi
  node_modules/webpack-dev-server/node_modules/cliui/node_modules/strip-ansi
  node_modules/webpack-dev-server/node_modules/string-width/node_modules/strip-ansi
  node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/webpack-dev-server/node_modules/cliui
      yargs  10.1.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of string-width
      node_modules/webpack-dev-server/node_modules/yargs
        webpack-dev-server  2.0.0-beta - 4.1.0
        Depends on vulnerable versions of ansi-html
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of http-proxy-middleware
        Depends on vulnerable versions of yargs
        node_modules/webpack-dev-server
          @pmmmwh/react-refresh-webpack-plugin  <=0.5.0-rc.6
          Depends on vulnerable versions of ansi-html
          Depends on vulnerable versions of webpack-dev-server
          node_modules/@pmmmwh/react-refresh-webpack-plugin
            react-scripts  >=0.10.0-alpha.328cb32e
            Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
            Depends on vulnerable versions of @svgr/webpack
            Depends on vulnerable versions of babel-jest
            Depends on vulnerable versions of react-dev-utils
            Depends on vulnerable versions of webpack
            Depends on vulnerable versions of webpack-dev-server
            node_modules/react-scripts
    inquirer  3.2.0 - 7.0.4
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of strip-ansi
    node_modules/inquirer
      firebase-tools  >=6.12.0
      Depends on vulnerable versions of inquirer
      Depends on vulnerable versions of ora
      node_modules/firebase-tools
    ora  2.0.0 - 4.0.2
    Depends on vulnerable versions of strip-ansi
    node_modules/ora
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/inquirer/node_modules/string-width
    node_modules/webpack-dev-server/node_modules/string-width
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/webpack-dev-server/node_modules/wrap-ansi

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix --force`
Will install react-scripts@3.4.4, which is a breaking change
node_modules/browserslist
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  6.0.0-next.03604a46 - 12.0.0-next.37
  Depends on vulnerable versions of browserslist
  Depends on vulnerable versions of fork-ts-checker-webpack-plugin
  Depends on vulnerable versions of immer
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of babel-jest
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

color-string  <1.5.5
Severity: moderate
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-257v-vj4p-3w2h
fix available via `npm audit fix`
node_modules/color-string

dns-packet  <1.3.2
Severity: high
Potential memory exposure in dns-packet - https://github.com/advisories/GHSA-3wcq-x3mq-6r9p
fix available via `npm audit fix`
node_modules/dns-packet

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install react-scripts@3.4.4, which is a breaking change
node_modules/chokidar/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of glob-parent
  Depends on vulnerable versions of readdirp
  node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.0.0-alpha.0 - 5.0.0-rc.6
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of watchpack
        node_modules/webpack
          react-scripts  >=0.10.0-alpha.328cb32e
          Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
    webpack-dev-server  2.0.0-beta - 4.1.0
    Depends on vulnerable versions of ansi-html
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of http-proxy-middleware
    Depends on vulnerable versions of yargs
    node_modules/webpack-dev-server
      @pmmmwh/react-refresh-webpack-plugin  <=0.5.0-rc.6
      Depends on vulnerable versions of ansi-html
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@pmmmwh/react-refresh-webpack-plugin

hosted-git-info  <2.8.9
Severity: moderate
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
fix available via `npm audit fix`
node_modules/hosted-git-info

immer  <9.0.6
Severity: critical
Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h
fix available via `npm audit fix --force`
Will install react-scripts@3.4.4, which is a breaking change
node_modules/immer
  react-dev-utils  6.0.0-next.03604a46 - 12.0.0-next.37
  Depends on vulnerable versions of browserslist
  Depends on vulnerable versions of fork-ts-checker-webpack-plugin
  Depends on vulnerable versions of immer
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of babel-jest
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

is-svg  2.1.0 - 4.2.1
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-7r28-3m3f-r2pr
fix available via `npm audit fix`
node_modules/is-svg
  postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
  Depends on vulnerable versions of is-svg
  Depends on vulnerable versions of svgo
  node_modules/postcss-svgo

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@3.4.4, which is a breaking change
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    renderkid  1.0.0 - 2.0.5
    Depends on vulnerable versions of css-select
    node_modules/renderkid
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=0.10.0-alpha.328cb32e
          Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of webpack
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of is-svg
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse

postcss  7.0.0 - 7.0.35 || 8.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
fix available via `npm audit fix`
node_modules/postcss
node_modules/postcss-safe-parser/node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  3.0.1 - 3.1.3 || 4.0.0-alpha.1 - 4.0.0-beta.2
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader

set-value  <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
fix available via `npm audit fix --force`
Will install react-scripts@3.4.4, which is a breaking change
node_modules/set-value
  cache-base  >=0.7.0
  Depends on vulnerable versions of set-value
  Depends on vulnerable versions of union-value
  node_modules/cache-base
    base  >=0.7.0
    Depends on vulnerable versions of cache-base
    node_modules/base
      snapdragon  0.6.0 - 0.10.1
      Depends on vulnerable versions of base
      node_modules/snapdragon
        braces  2.0.0 - 2.3.2
        Depends on vulnerable versions of snapdragon
        node_modules/anymatch/node_modules/braces
        node_modules/chokidar/node_modules/braces
        node_modules/fork-ts-checker-webpack-plugin/node_modules/braces
        node_modules/http-proxy-middleware/node_modules/braces
        node_modules/readdirp/node_modules/braces
        node_modules/sane/node_modules/braces
        node_modules/webpack/node_modules/braces
          chokidar  1.0.0-rc1 - 2.1.8
          Depends on vulnerable versions of braces
          Depends on vulnerable versions of glob-parent
          Depends on vulnerable versions of readdirp
          node_modules/chokidar
            watchpack-chokidar2  *
            Depends on vulnerable versions of chokidar
            node_modules/watchpack-chokidar2
              watchpack  1.7.2 - 1.7.5
              Depends on vulnerable versions of watchpack-chokidar2
              node_modules/watchpack
                webpack  4.0.0-alpha.0 - 5.0.0-rc.6
                Depends on vulnerable versions of micromatch
                Depends on vulnerable versions of watchpack
                node_modules/webpack
                  react-scripts  >=0.10.0-alpha.328cb32e
                  Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
                  Depends on vulnerable versions of @svgr/webpack
                  Depends on vulnerable versions of babel-jest
                  Depends on vulnerable versions of react-dev-utils
                  Depends on vulnerable versions of webpack
                  Depends on vulnerable versions of webpack-dev-server
                  node_modules/react-scripts
            webpack-dev-server  2.0.0-beta - 4.1.0
            Depends on vulnerable versions of ansi-html
            Depends on vulnerable versions of chokidar
            Depends on vulnerable versions of http-proxy-middleware
            Depends on vulnerable versions of yargs
            node_modules/webpack-dev-server
              @pmmmwh/react-refresh-webpack-plugin  <=0.5.0-rc.6
              Depends on vulnerable versions of ansi-html
              Depends on vulnerable versions of webpack-dev-server
              node_modules/@pmmmwh/react-refresh-webpack-plugin
        expand-brackets  1.0.0 - 2.1.4
        Depends on vulnerable versions of snapdragon
        node_modules/expand-brackets
        extglob  1.0.0 - 2.0.4
        Depends on vulnerable versions of snapdragon
        node_modules/extglob
        micromatch  3.0.0 - 3.1.10
        Depends on vulnerable versions of snapdragon
        node_modules/anymatch/node_modules/micromatch
        node_modules/fork-ts-checker-webpack-plugin/node_modules/micromatch
        node_modules/http-proxy-middleware/node_modules/micromatch
        node_modules/readdirp/node_modules/micromatch
        node_modules/sane/node_modules/micromatch
        node_modules/webpack/node_modules/micromatch
          anymatch  2.0.0
          Depends on vulnerable versions of micromatch
          node_modules/anymatch
          fork-ts-checker-webpack-plugin  0.4.14 - 4.1.6
          Depends on vulnerable versions of micromatch
          node_modules/fork-ts-checker-webpack-plugin
            react-dev-utils  6.0.0-next.03604a46 - 12.0.0-next.37
            Depends on vulnerable versions of browserslist
            Depends on vulnerable versions of fork-ts-checker-webpack-plugin
            Depends on vulnerable versions of immer
            node_modules/react-dev-utils
          http-proxy-middleware  0.18.0 - 0.19.2
          Depends on vulnerable versions of micromatch
          node_modules/http-proxy-middleware
          readdirp  2.2.0 - 2.2.1
          Depends on vulnerable versions of micromatch
          node_modules/readdirp
          sane  2.5.0 - 4.1.0
          Depends on vulnerable versions of micromatch
          node_modules/sane
            jest-haste-map  24.0.0-alpha.0 - 26.6.2
            Depends on vulnerable versions of sane
            node_modules/jest-haste-map
              @jest/core  <=26.6.3
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-snapshot
              node_modules/@jest/core
                jest  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/core
                Depends on vulnerable versions of jest-cli
                node_modules/jest
                  jest-watch-typeahead  0.6.0 - 0.6.3
                  Depends on vulnerable versions of jest
                  node_modules/jest-watch-typeahead
                jest-cli  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/core
                Depends on vulnerable versions of jest-config
                node_modules/jest-cli
              @jest/reporters  <=26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/reporters
              @jest/test-sequencer  <=26.6.3
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/test-sequencer
                jest-config  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/test-sequencer
                Depends on vulnerable versions of babel-jest
                node_modules/jest-config
                  jest-runner  24.0.0-alpha.0 - 26.6.3
                  Depends on vulnerable versions of jest-config
                  Depends on vulnerable versions of jest-haste-map
                  node_modules/jest-runner
                    jest-circus  25.2.4 - 26.6.3
                    Depends on vulnerable versions of jest-runner
                    Depends on vulnerable versions of jest-runtime
                    Depends on vulnerable versions of jest-snapshot
                    node_modules/jest-circus
                  jest-runtime  24.0.0-alpha.0 - 26.6.3
                  Depends on vulnerable versions of @jest/transform
                  Depends on vulnerable versions of jest-config
                  Depends on vulnerable versions of jest-haste-map
                  Depends on vulnerable versions of jest-snapshot
                  node_modules/jest-runtime
                    jest-jasmine2  24.2.0-alpha.0 - 26.6.3
                    Depends on vulnerable versions of jest-runtime
                    Depends on vulnerable versions of jest-snapshot
                    node_modules/jest-jasmine2
              @jest/transform  <=26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/transform
                babel-jest  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/transform
                node_modules/babel-jest
                node_modules/react-scripts/node_modules/babel-jest
              jest-snapshot  24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/jest-snapshot
                jest-resolve-dependencies  26.1.0 - 26.6.3
                Depends on vulnerable versions of jest-snapshot
                node_modules/jest-resolve-dependencies
        nanomatch  >=0.1.1
        Depends on vulnerable versions of snapdragon
        node_modules/nanomatch
  union-value  *
  Depends on vulnerable versions of set-value
  node_modules/union-value

ssri  5.2.2 - 6.0.1
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq
fix available via `npm audit fix`
node_modules/webpack/node_modules/ssri

tmpl  <1.0.5
Severity: moderate
Regular Expression Denial of Service in tmpl - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v
fix available via `npm audit fix`
node_modules/tmpl

url-parse  <1.5.2
Severity: moderate
Open redirect in url-parse - https://github.com/advisories/GHSA-hh27-ffr2-f2jc
fix available via `npm audit fix`
node_modules/url-parse

ws  6.0.0 - 6.2.1
Severity: moderate
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
fix available via `npm audit fix`
node_modules/webpack-dev-server/node_modules/ws

70 vulnerabilities (24 moderate, 44 high, 2 critical)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

Answer 1

It looks like you have a few issues in there, so it would be helpful to narrow down the scope of your question to a specific error that you are having trouble resolving.

In general, your approach to resolving security issues like this should be twofold:

1. Try to update your dependencies to the latest version. If this fixes your security warnings, great! Otherwise, notify the maintainers of the affected dependencies of the issue.
2. Don't want to wait for patches? No problem. This is why npm-force-resolutions was created. Use it as a temporary means to resolve security vulnerabilities.

Note: One of the packages affected for you is ansi-html. This is can be tricky case to resolve since you will need to patch with a different package entirely called ansi-html-community. For details on how to do this, please refer to the following thread:

How to override a nested npm sub-dependency with a different package altogether (not just different package version number)?