5

Every time I create a react app with npx create-react-app <AppName>, I get:

96 vulnerabilities found - Packages audited: 1682
Severity: 65 Moderate | 30 High | 1 Critical
Node Version: v14.18.1
Npm: 7.20.5
React: ^17.0.2

When I use npm audit fix OR npm audit fix --force, these are the results:

68 vulnerabilities (21 moderate, 45 high, 2 critical)
47 vulnerabilities (12 low, 18 moderate, 15 high, 2 critical)
58 vulnerabilities (16 moderate, 40 high, 2 critical)
48 vulnerabilities (12 low, 18 moderate, 16 high, 2 critical)
58 vulnerabilities (16 moderate, 40 high, 2 critical)

Here is the audit detail: Text File Link What I'm doing wrong?

Aly
  • 321
  • 1
  • 4
  • 15
  • 1
    I was confused and thought I'm doing something wrong – Aly Oct 14 '21 at 18:49
  • 1
    Does this answer your question? [Npm audit fix --force react script downgrade automatically](https://stackoverflow.com/questions/67693423/npm-audit-fix-force-react-script-downgrade-automatically) – Andrey Nov 11 '21 at 10:15

1 Answers1

13

It's an NPM Bug. See here for a longer explanation. You just need to put react-scripts in dev dependices like that

"dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
   },
  "devDependencies": {
    "react-scripts": "4.0.3"
  },

This issue has already been solved on GitHub. https://github.com/facebook/create-react-app/issues/11174 If you really want to audit use npm audit --production.

Aly
  • 321
  • 1
  • 4
  • 15
  • 1
    As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Oct 14 '21 at 19:34
  • I fixed it. How about now? – Aly Oct 16 '21 at 12:26
  • This is a partial answer. The other half is adding --production flag when you npm audit. `$ npm audit --production` – corescan Dec 07 '21 at 15:24