While running npx create-react-app my-app, I am getting 10 moderate severity vulnerabilities. Not able to fix even after running npm audit fix or npm audit fix --force. When I run npm audit fix --force i get more 44 vulnerabilities (25 low, 5 moderate, 14 high), then again if I run same command to fix I get 10 moderate severity vulnerabilities. This keeps on going in cycles each time I run command.
$ npm audit
# npm audit report
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
@pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-rc.6
Depends on vulnerable versions of webpack-dev-server
10 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
You have to run npm audit --production
instead of npm audit
. This is a known issue without a real fix. These should all be in your devDependencies and it won't have any security impact in your production builds.
Read more about dev dependencies vs dependencies here.
Read more about this in the react-create-app Github.