I'm stuck in a situation where I've either got 22 vulnerabilities or 47. I can run npm audit fix but I'm always suggested to run the --force switch in order to actually perform an upgrade. From there I can either upgrade and get 22 vulns and then I perform the --force again and get 47 vulns, this cycle continues forever. What's the best way out, just leave the packages the way they are?
my package.json
"dependencies": {
"animate.css": "^4.1.1",
"axios": "^0.21.1",
"bootstrap": "^4.5.3",
"http-proxy-middleware": "^0.19.1",
"react": "^17.0.1",
"react-dom": "^17.0.1",
"react-ga": "^3.3.0",
"react-router-dom": "^5.2.0",
"react-scripts": "^1.1.5",
"universal-cookie": "^4.0.4",
"web-vitals": "^0.2.4"
},
When I try npm --audit fix in one situation:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! Found: type-fest@0.21.3
npm ERR! node_modules/type-fest
npm ERR! type-fest@"^0.21.3" from ansi-escapes@4.3.2
npm ERR! node_modules/ansi-escapes
npm ERR! ansi-escapes@"^4.2.1" from @jest/core@26.6.3
npm ERR! node_modules/@jest/core
npm ERR! @jest/core@"^26.6.0" from jest@26.6.0
npm ERR! node_modules/jest
npm ERR! peer jest@"^26.0.0" from jest-watch-typeahead@0.6.1
npm ERR! node_modules/jest-watch-typeahead
npm ERR! 1 more (react-scripts)
npm ERR! 1 more (jest-cli)
npm ERR! ansi-escapes@"^4.3.1" from jest-watch-typeahead@0.6.1
npm ERR! node_modules/jest-watch-typeahead
npm ERR! jest-watch-typeahead@"0.6.1" from react-scripts@4.0.3
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"^4.0.3" from the root project
npm ERR! 2 more (jest-watcher, terminal-link)
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peerOptional type-fest@"^0.13.1" from @pmmmwh/react-refresh-webpack-plugin@0.4.3
npm ERR! node_modules/@pmmmwh/react-refresh-webpack-plugin
npm ERR! @pmmmwh/react-refresh-webpack-plugin@"0.4.3" from react-scripts@4.0.3
npm ERR! node_modules/react-scripts
npm ERR! react-scripts@"^4.0.3" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
And then when I run it after another --force
# npm audit report
braces <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/anymatch/node_modules/braces
node_modules/jest-cli/node_modules/braces
node_modules/jest-haste-map/node_modules/braces
node_modules/jest-message-util/node_modules/braces
node_modules/jest-runtime/node_modules/braces
node_modules/test-exclude/node_modules/braces
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/anymatch/node_modules/micromatch
node_modules/jest-cli/node_modules/micromatch
node_modules/jest-haste-map/node_modules/micromatch
node_modules/jest-message-util/node_modules/micromatch
node_modules/jest-runtime/node_modules/micromatch
node_modules/test-exclude/node_modules/micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
Depends on vulnerable versions of micromatch
node_modules/jest-message-util
jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-matchers
Depends on vulnerable versions of jest-message-util
node_modules/jest-jasmine2
jest-config 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-jasmine2
node_modules/jest-config
jest-matchers >=18.5.0-alpha.7da3df39
Depends on vulnerable versions of jest-message-util
node_modules/jest-matchers
jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-util
jest-environment-jsdom 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-jsdom
jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-node
jest-snapshot 18.5.0-alpha.7da3df39 - 21.0.0-beta.1
Depends on vulnerable versions of jest-util
node_modules/jest-snapshot
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/glob-base/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/webpack-dev-server/node_modules/chokidar
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/anymatch/node_modules/micromatch
node_modules/jest-cli/node_modules/micromatch
node_modules/jest-haste-map/node_modules/micromatch
node_modules/jest-message-util/node_modules/micromatch
node_modules/jest-runtime/node_modules/micromatch
node_modules/test-exclude/node_modules/micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware/node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/webpack-dev-server/node_modules/http-proxy-middleware
jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
Depends on vulnerable versions of micromatch
node_modules/jest-message-util
jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-matchers
Depends on vulnerable versions of jest-message-util
node_modules/jest-jasmine2
jest-config 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-jasmine2
node_modules/jest-config
jest-matchers >=18.5.0-alpha.7da3df39
Depends on vulnerable versions of jest-message-util
node_modules/jest-matchers
jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-util
jest-environment-jsdom 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-jsdom
jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-node
jest-snapshot 18.5.0-alpha.7da3df39 - 21.0.0-beta.1
Depends on vulnerable versions of jest-util
node_modules/jest-snapshot
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
js-yaml <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/svgo/node_modules/js-yaml
svgo 0.4.2 - 1.0.5
Depends on vulnerable versions of js-yaml
node_modules/svgo
postcss-svgo <=2.1.6
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano <=3.10.0
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
css-loader 0.15.0 - 0.28.11
Depends on vulnerable versions of cssnano
node_modules/css-loader
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
mem <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/webpack/node_modules/os-locale
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/webpack-dev-server/node_modules/yargs
node_modules/webpack/node_modules/yargs
node_modules/yargs
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
webpack 2.0.0-beta - 4.0.0-beta.3
Depends on vulnerable versions of yargs
node_modules/webpack
babel-loader 7.0.0-alpha.1 - 7.1.2 || 8.0.0-beta.0 - 8.0.0-beta.6
Depends on vulnerable versions of webpack
node_modules/babel-loader
extract-text-webpack-plugin 2.0.0-beta.0 - 3.0.2
Depends on vulnerable versions of webpack
node_modules/extract-text-webpack-plugin
file-loader 1.1.1 - 1.1.9
Depends on vulnerable versions of webpack
node_modules/file-loader
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
merge <2.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1666
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/merge
exec-sh <=0.3.1
Depends on vulnerable versions of merge
node_modules/exec-sh
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/normalize-url
postcss-normalize-url <=4.0.1
Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url
cssnano <=3.10.0
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
css-loader 0.15.0 - 0.28.11
Depends on vulnerable versions of cssnano
node_modules/css-loader
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
trim-newlines <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
sw-precache >=4.2.0
Depends on vulnerable versions of meow
node_modules/sw-precache
sw-precache-webpack-plugin >=0.8.0
Depends on vulnerable versions of sw-precache
node_modules/sw-precache-webpack-plugin
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.11.2
Severity: high
Missing Origin Validation - https://npmjs.com/advisories/725
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/webpack-dev-server
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
yargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install react-scripts@4.0.3, which is a breaking change
node_modules/webpack-dev-server/node_modules/yargs-parser
node_modules/webpack/node_modules/yargs-parser
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/webpack-dev-server/node_modules/yargs
node_modules/webpack/node_modules/yargs
node_modules/yargs
jest-cli 12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 24.8.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 2.1.8
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of jest
Depends on vulnerable versions of sw-precache-webpack-plugin
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.8.0
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
webpack 2.0.0-beta - 4.0.0-beta.3
Depends on vulnerable versions of yargs
node_modules/webpack
babel-loader 7.0.0-alpha.1 - 7.1.2 || 8.0.0-beta.0 - 8.0.0-beta.6
Depends on vulnerable versions of webpack
node_modules/babel-loader
extract-text-webpack-plugin 2.0.0-beta.0 - 3.0.2
Depends on vulnerable versions of webpack
node_modules/extract-text-webpack-plugin
file-loader 1.1.1 - 1.1.9
Depends on vulnerable versions of webpack
node_modules/file-loader
webpack-dev-server <=3.11.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
You're in a loop because react-scripts@1 has some vulnerable dependencies and react-scripts@4 has different vulnerable dependencies, so you're bouncing back and forth between them.
The first time you run npm audit fix --force, you update to react-scripts@4.x, and when you run it again, it downgrades you to react-scripts@1.x to remove the vulnerable dependencies in the 4.x version.
As of this writing, if you run npx create-react-app my-app, you get react-scripts@4 (and the warning about 22 vulnerabilities) so maybe run npm audit fix --force to get to that state, run your tests to make sure nothing broke, and go to https://www.npmjs.com/package/react-scripts from time to time to check for a release that bumps the dependencies (and/or run npm audit from time to time without the --force to see if it updates it automatically).