Security Vulnerabilities After Installing some NPM Packages in ReactJS Project

Question

So, I'm learning to create a react app that uses a CSS framework like materialize and bootstrap. I use 2 different versions of npm to create the react js app. The first one is npm 6 and the second one is npm 9

When I installed materialize or bootstrap using npm 6, there was only 1 security vulnerability appeared, but it was fixed after I ran npm audit fix

But when I use npm 9, 6 security vulnerabilities appeared. To fix that, I try to use npm audit fix and npm audit fix --forces, but there's nothing changed, security vulnerabilities still exist

Here how my terminals look like

Is it because the npm package doesn't suit npm 9? If that's the case, is there a way I can use npm 9 to create react app with materialize or bootstrap as a CSS framework?

Thank you

Answer 1

i hit the same issue on MacBook (MacOS), slightly different from above is

1. after run npm audit fix --force, it should more alert than before 83 vulnerabilities (14 low, 19 moderate, 44 high, 6 critical)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

2. after above command again as suggested npm WARN using --force Recommended protections disabled. npm WARN audit fix chownr@1.0.1 node_modules/react-scripts/node_modules/fsevents/node_modules/chownr npm WARN audit fix chownr@1.0.1 is a bundled dependency of npm WARN audit fix chownr@1.0.1 fsevents@1.2.4 at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix chownr@1.0.1 It cannot be fixed automatically. npm WARN audit fix chownr@1.0.1 Check for updates to the fsevents package. npm WARN audit fix ini@1.3.5 node_modules/react-scripts/node_modules/fsevents/node_modules/ini npm WARN audit fix ini@1.3.5 is a bundled dependency of npm WARN audit fix ini@1.3.5 fsevents@1.2.4 at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix ini@1.3.5 It cannot be fixed automatically. npm WARN audit fix ini@1.3.5 Check for updates to the fsevents package. npm WARN audit fix minimatch@3.0.4 node_modules/react-scripts/node_modules/fsevents/node_modules/minimatch npm WARN audit fix minimatch@3.0.4 is a bundled dependency of npm WARN audit fix minimatch@3.0.4 fsevents@1.2.4 at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix minimatch@3.0.4 It cannot be fixed automatically. npm WARN audit fix minimatch@3.0.4 Check for updates to the fsevents package. npm WARN audit fix minimist@0.0.8 node_modules/react-scripts/node_modules/fsevents/node_modules/minimist npm WARN audit fix minimist@0.0.8 is a bundled dependency of npm WARN audit fix minimist@0.0.8 fsevents@1.2.4 at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix minimist@0.0.8 It cannot be fixed automatically. npm WARN audit fix minimist@0.0.8 Check for updates to the fsevents package. npm WARN audit fix minimist@1.2.0 node_modules/react-scripts/node_modules/fsevents/node_modules/rc/node_modules/minimist npm WARN audit fix minimist@1.2.0 is a bundled dependency of npm WARN audit fix minimist@1.2.0 fsevents@1.2.4 at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix minimist@1.2.0 It cannot be fixed automatically. npm WARN audit fix minimist@1.2.0 Check for updates to the fsevents package. npm WARN audit fix tar@4.4.1 node_modules/react-scripts/node_modules/fsevents/node_modules/tar npm WARN audit fix tar@4.4.1 is a bundled dependency of npm WARN audit fix tar@4.4.1 fsevents@1.2.4 at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix tar@4.4.1 It cannot be fixed automatically. npm WARN audit fix tar@4.4.1 Check for updates to the fsevents package. npm WARN audit fix mkdirp@0.5.1 node_modules/react-scripts/node_modules/fsevents/node_modules/mkdirp npm WARN audit fix mkdirp@0.5.1 is a bundled dependency of npm WARN audit fix mkdirp@0.5.1 fsevents@1.2.4 at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix mkdirp@0.5.1 It cannot be fixed automatically. npm WARN audit fix mkdirp@0.5.1 Check for updates to the fsevents package. npm WARN audit Updating react-scripts to 5.0.1, which is a SemVer major change. npm WARN deprecated rollup-plugin-terser@7.0.2: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-terser npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead

added 410 packages, removed 1182 packages, changed 321 packages, and audited 1399 packages in 57s

235 packages are looking for funding run npm fund for details

npm audit report

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install react-scripts@2.1.3, which is a breaking change node_modules/svgo/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack node_modules/react-scripts

6 high severity vulnerabilities

To address all issues (including breaking changes), run: npm audit fix --force

---

as you observed, it is back to 6 high severity vulnerabilities