Search code examples
reactjsnpmvitenode-modules

Create react project using vite, npm reports vulnerabilities

I have getting 3 vulnerability While creating fresh react project using vite.

I have updated my node and npm to version node:22.14.0 and npm:11.1.10

All my commands are:

  • npm create vite@latest
  • After that the script ask to select from various frameworks like react,vue etc
  • I select the react option
  • Additionally i have also selected the typescript
  • I go to the directory
  • npm install it.

After hitting npm install the project dependencies are installed but it shows 3 vulnerabilities. I have tried the audit force fix method can anyone explain why is it happening?

Here is the vulnerability I am getting in the console its not causing any problem while running the application but Its bothering me guys I hope all devs will understand this feeling

Is this a new bug may be or may be not !

here is the console summary

npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install vite@0.10.3, which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.1
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitejs/plugin-react  >=2.0.0-alpha.0
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-react

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Have latest version of node :22.14.0
Additionally i have updates the npm:11.1.0
Have tried to audit force fix method
Tried to update the package manually
Still it shows 3 Vulnerability

Solution

  • Npm can find vulnerabilities and tell you to "fix it", but that does not mean there actually are fixes that you can do.

    Besides that, npm audit will not differentiate between "dev" and "runtime" vulnerabilities:

    • "dev" vulnerabilities can impact you, and nobody else. Only other build tooling that runs on your computer could exploit this, but I have so far (fingers crossed) never seen anything doing that.
    • "runtime" vulnerabilities can impact your End Users - but only if you actually host it in public and actually have End Users. For trying out / learning / playing, you can totally ignore these.

    Now, if you must fix the issues, here is why it sometimes isn't possible:

    • Your project may use X v1.0, which uses Y v2.0 that has a vulnerability, which was fixed in Y v2.1.
    • To fix X, the package maintainer must release e.g. X v1.1 that uses Y v2.1.
    • But that hasn't been done yet...

    Your options if a fix is not immediately available:

    (1) Drop X entirely - quite often not a viable option, but there could be a replacement for X that does more or less the same.

    (2) Fork X from their online repo (Github etc), then make a fix and use that in your project - can be very hard, and just impossible for a beginner.

    (3) Report an issue and/or submit a PR with the maintainer. Becoming a sponsor might also help.

    So all in all: npm audit fix can be too optimistic in what it tells you, and then these are your options - ignore, drop/replace, fork, or report/PR & wait.