vulnerability when install react-scripts

Question

When I install react-scripts I get 58 vulnerabilities (16 moderate, 40 high, 2 critical)

My setup is :

• Linux Debian 10
• Nodejs v14.18.1
• Npm 8.1.0
• react 17.0.2
• react-scripts 4.0.3

deprecated packages :

• flatten@1.0.3,
• @hapi/topo@3.1.6,
• @hapi/bourne@1.3.2,
• urix@0.1.0,
• resolve-url@0.2.1,
• querystring@0.2.1
• sane@4.1.0,
• chokidar@2.1.8,
• querystring@0.2.0,
• babel-eslint@10.1.0
• hapi/address@2.1.4,
• rollup-plugin-babel@4.4.0,
• uuid@3.4.0
• hapi/joi@15.1.1,
• svgo@1.3.2,
• core-js@2.6.12

Please help!

Answer 1

If you are installing the latest version of react-scripts, it is very unlikely to be a problem.

You should consider moving react-scripts from dependencies to devDependencies in your package, if it is not there already and run npm audit --production instead of npm audit. Basically, having "vulnerabilities" in dev dependencies is most likely not an issue as they cannot be exploited.

This issue on the create-react-app repository explains it in details: https://github.com/facebook/create-react-app/issues/11174

And this article from the same author explains the problem with npm audit in a more general context: https://overreacted.io/npm-audit-broken-by-design/