Search code examples
npmnpm-audit

`npm audit --production` still warns of vulnerabilities despite moving package to `devDependencies`

I created a react app with npx create-react-app myapp and was flooded with vulnerabilities. I followed the instructions in this github issue and moved the package to devDependencies in my package.json file, since any "vulnerabilies" would only exist on my local dev laptop. However, when I run npm audit --production as suggested, I still see the deluge of warnings about vulnerabilities. Did I forget to do something? Here is my package.json file.

{
  "name": "myapp",
  "version": "0.1.0",
  "private": true,
  "dependencies": {
    "@testing-library/jest-dom": "^5.15.0",
    "@testing-library/react": "^11.2.7",
    "@testing-library/user-event": "^12.8.3",
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
    "web-vitals": "^1.1.2"
  },
  "devDependencies": {
    "react-scripts": "4.0.3"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": [
      "react-app",
      "react-app/jest"
    ]
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

And these are the vulnerabilities I am seeing for react-scripts

tpulliam@lappy:~/Desktop/code/myapp (master) $ npm audit --production
# npm audit report

ansi-html  *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@0.9.5, which is a breaking change
node_modules/ansi-html
  @pmmmwh/react-refresh-webpack-plugin  <=0.5.0-rc.6
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of webpack-dev-server
  node_modules/@pmmmwh/react-refresh-webpack-plugin
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of babel-jest
...
...
Solution

  • So I actually fixed my issue. All I did was

    rm -fr node_modules/ package-lock.json && npm install after modifying the package.json file.

    After that, npm audit --production showed 0 vulnerabilities.