1

I've created a new project to work on with vite & react JS. Running the command npm create vite@latest works fine, and them I have to run npm install this doesn't quite end well, because it says that there are 5 modern vulnerabilites. and then running npm audit gives this report:

# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/semver
  @babel/core  *
  Depends on vulnerable versions of @babel/helper-compilation-targets
  Depends on vulnerable versions of semver
  node_modules/@babel/core
    @babel/helper-compilation-targets  *
    Depends on vulnerable versions of @babel/core
    Depends on vulnerable versions of semver
    node_modules/@babel/helper-compilation-targets
    @vitejs/plugin-react  *
    Depends on vulnerable versions of @babel/core
    node_modules/@vitejs/plugin-react
  eslint-plugin-react  7.19.0 || >=7.26.0
  Depends on vulnerable versions of semver
  node_modules/eslint-plugin-react

5 moderate severity vulnerabilities

I tried npm audit fix and it did nothing, then tried npm audit fix --force and it fixes only one vulnerability, but that is not recommended.

ankushlokhande
  • 870
  • 5
  • 20
Aymen ahmed Houasnia
  • 11
  • 3

1 Answers1

0

What worked for me is using

"overrides": { "semver": "^7.5.3" }

it needs to be added in the Package.json file. And then run:

npm audit fix

it fixes the vulnerabilies, although i don't really know if this doesn't cause issues when further developing

I want to thank "vinnisch" from github "https://github.com/vinnisch" as he gave the solution on this question "https://github.com/angular/angular-cli/issues/25431#issuecomment-1609577821"

Aymen ahmed Houasnia
  • 11
  • 3