0
80 vulnerabilities (35 moderate, 44 high, 1 critical)

Is this a normal issue that you go through and fix? What do I do?

Example:

# npm audit report

ansi-html  *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/ansi-html
  webpack-dev-server  2.0.0-beta - 4.1.0
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of http-proxy-middleware
  Depends on vulnerable versions of yargs
  node_modules/webpack-dev-server
    react-scripts  >=0.8.0
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of babel-jest
    Depends on vulnerable versions of eslint
    Depends on vulnerable versions of jest
    Depends on vulnerable versions of jest-environment-jsdom-fourteen
    Depends on vulnerable versions of jest-watch-typeahead
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts
jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
DrakeColeman
  • 81
  • 6
  • 2
    `npm audit` is a waste of time: https://overreacted.io/npm-audit-broken-by-design/ – keul Oct 29 '21 at 13:34
  • 1
    @keul While you decide to ignore them, you may as well pull in all malicious packages saying that it doesn't matter because you only use them in development. – SharedRory Oct 29 '21 at 13:35
  • 1
    I don't way this is not possibile, I'm just saying _this_ audit model is broken. On a front-end env 99.8% of times you are wasting your time. There are better tools, like Snyk – keul Oct 29 '21 at 13:45
  • am i over reacting? i dont have a mentor or anyone around to really ask. I'm solo learning this stuff. do i have to worry about this stuff right now? npm makes it seem like a huge deal, with high and critical and vulnerabilities and such. – DrakeColeman Oct 29 '21 at 13:49
  • @DrakeColeman Let say you can manually check them, not by checking them one at time, but looking at main modules. For example: can you trust `react-scripts`? I would say "yes", so… move along to the next one. – keul Oct 29 '21 at 14:03
  • that makes sense. the only issue is the "looking" part. i have no idea what im looking at in the console. it looks so foreign and confusing. it would help if it said stuff i have learned about. buit its some of the most random most unheard of words and descriptions it uses, these dependencies and locations. – DrakeColeman Oct 29 '21 at 14:05
  • 1
    Open pull requests with each repo to patch the vuln. Welcome to OSS. – morganney Oct 29 '21 at 14:15
  • Does this answer your question? [Npm audit fix --force react script downgrade automatically](https://stackoverflow.com/questions/67693423/npm-audit-fix-force-react-script-downgrade-automatically) – Andrey Nov 28 '21 at 14:33

0 Answers0