Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

96 vulnerabilities after running npx create-react-app my-app command #11092

Closed
bcagarwal opened this issue Jun 11, 2021 · 30 comments
Closed

96 vulnerabilities after running npx create-react-app my-app command #11092

bcagarwal opened this issue Jun 11, 2021 · 30 comments

Comments

@bcagarwal
Copy link

bcagarwal commented Jun 11, 2021

node version 16.3.0
nom version 7.15.1

While executing the command npx create-react-app my-app, I am getting

96 vulnerabilities (85 moderate, 11 high)

Please check.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...


added 1922 packages, and audited 1923 packages in 60s

145 packages are looking for funding
  run `npm fund` for details

96 vulnerabilities (85 moderate, 11 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

Initialized a git repository.

Installing template dependencies using npm...

added 32 packages, and audited 1955 packages in 9s

145 packages are looking for funding
  run `npm fund` for details

96 vulnerabilities (85 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
Removing template package using npm...


removed 1 package, and audited 1954 packages in 7s

145 packages are looking for funding
  run `npm fund` for details

96 vulnerabilities (85 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Created git commit.

Success! Created my-app at /Users/bikashagrawal/react-projects/my-app
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd my-app
  npm start

Happy hacking!

I tried to run npm audit fix and npm audit fix --force, but it didn't help.

@vegarringdal
Copy link

I got the same result

@fazemodz
Copy link

i got this too

@alaintalk
Copy link

same problem

1 similar comment
@RealDrewKlayman
Copy link

same problem

@frankthoeny
Copy link

Does not justify another tread, I have a similar issue with create-react-app. I use Windows 10 with VSCode.

"dependencies": {
"@testing-library/jest-dom": "^5.14.1",
"@testing-library/react": "^11.2.7",
"@testing-library/user-event": "^12.8.3",
"react": "^17.0.2",
"react-dom": "^17.0.2",
"react-scripts": "^4.0.3", <--- (Is this it?)
"web-vitals": "^1.1.2"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},

---- I deleted "react-scripts": "^4.0.3", from the file package.json. Found that Uninstalling react-scripts returns the following.

npm install
removed 1843 packages and audited 83 packages in 52.197s

3 packages are looking for funding
run npm fund for details

found 0 vulnerabilities

---- But wait need react-scripts to work. I tried a different version from 4 months ago, but got the same results.

npm i react-scripts@4.0.0 --save
---- Why are these packages deprecated? OMG
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!

The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:

https://opencollective.com/core-js
https://www.patreon.com/zloirock

Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)

core-js@3.14.0 postinstall D:\Web Apps\myappnamehere\node_modules\core-js
node -e "try{require('./postinstall')}catch(e){}"

ejs@2.7.4 postinstall D:\Web Apps\myappnamehere\node_modules\ejs
node ./postinstall.js

Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.3 (node_modules\react-scripts\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.2.7 (node_modules\watchpack-chokidar2\node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.2.7 (node_modules\webpack-dev-server\node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.14.5 requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself.
npm WARN tsutils@3.21.0 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.

  • react-scripts@4.0.0
    added 1847 packages from 648 contributors and audited 1933 packages in 192.476s

145 packages are looking for funding
run npm fund for details

found 86 vulnerabilities (82 moderate, 4 high)
run npm audit fix to fix them, or npm audit for details

@wanghuaimin2024
Copy link

I encountered the same, this is my prompt, can you ask what your prompt is?
我遇到了相同,这是我的提示,能问下你们的是什么吗?
1
2
3

@wanghuaimin2024
Copy link

Secondly, running npm init and then npx can solve the above problem; but a new problem has emerged: My project is MyReact / my-app, why does MyReact prompt an error? Is it because I am running npx under MyReact? (But if npx runs in the root directory, it will report an error “npm ERR! 404 Not Found - GET https://registry.npmjs.com/creat-react-app - Not found” and cannot be run directly.)
二次补充,先运行 npm init 再运行 npx 可以解决上面的问题;但新的问题又出来了:我的项目是 MyReact / my-app ,为什么 MyReact 会提示错误呢?是因为我是在 MyReact 下运行的 npx 吗?(但 npx 在根目录下是没法运行啊,报错 404)

@DancingColors
Copy link

Same here.

@bcagarwal
Copy link
Author

Thanks to everyone who commented and it seems everyone is facing the same issue. What is the solution to this issue?

@DancingColors
Copy link

@bcagarwal The more comments, the more visibility to the issue. Asking again is useless.

@bcagarwal
Copy link
Author

@DancingColors Got it. Thank you.

@mchakshu-zz
Copy link

Node JS version 14.16.1
npm version 6.14.12
found 89 vulnerabilities (1 low, 82 moderate, 6 high)

@wanghuaimin2024
Copy link

感谢所有评论的人, 似乎每个人都面临着同样的问题。这个问题的解决方案是什么

Upgrade npm to npm7

@wanghuaimin2024
Copy link

The problems encountered during the two days of learning this step (win10, nodejsv14.17.0):

  1. Prompt 404
    1.1 Install create-react-app globally, and then execute npx
  2. The file idealTree already exists
    2.1 Create file A, run npx in folder A
  3. Prompt that there are vulnerabilities
    3.1 Upgrade npm to 7, automatically install dependencies
  4. After the npx command is executed, it prompts that folder A lacks package.json
    4.1 Before executing npx, execute npm init first, manually create package.json, and then execute npx
    4.2 Or before executing npx, install yarn globally, and then execute npx.

Supplement: 4.2 Unresolved errors: When the installation reaches 3/4, there will be two error messages, and no solution has been found yet.

这两天学习这一步遇到的问题(win10,nodejsv14.17.0):

1.提示404
1.1 全局安装 create-react-app,然后再执行 npx
2. 文件 idealTree 已存在
2.1 创建文件A,在文件夹A中运行 npx
3. 提示存在漏洞
3.1 升级npm 到7,自动安装依赖
4. npx命令执行后,提示文件夹A 缺少package.json
4.1 在执行 npx 之前,先执行 npm init ,手动创建 package.json,然后再执行 npx
4.2 或者在执行 npx 之前,先全局安装 yarn,然后再执行 npx。

补充:4.2 未解决的错误: 安装到3/4时,会有两个错误提示,暂未找到解决办法。

@RobFosterNYC
Copy link

RobFosterNYC commented Jun 15, 2021

I am getting this issue as well....
.

Screenshot_10B

.

Screenshot_14

And for some odd reason (on its own), I am now getting duplicate files, its stressful and confusing...
the duplicate files have different configurations to one another.
.
Screenshot_15

@mrwensveen
Copy link

mrwensveen commented Jun 15, 2021

A lot of this has to do with the fact that react-scripts is added as a dependency in stead of a devDependency. Technically, the vulnerabilities will not be deployed unless they are also dependencies of your package or another dependency that will get deployed.

I have proposed here that react-scripts should be a devDependency again so we don't have to ignore a bunch of vulnerabilities every few weeks.

Edit: fixed link

@bcagarwal
Copy link
Author

Is adding a label required? If yes, I am unable to do so. Could someone please help to add a label to this issue?

@acomanescu
Copy link

This is extremely important to be fixed as soon as possible.

@Duosora
Copy link

Duosora commented Jun 15, 2021

Big upvote on the necessity of fixing that one. It's truly annoying to see it every single time.

@mel-ramkhelawan
Copy link

Im having the same issue.

Node: 16.3.0
npm: 7.15.1

@GhostyBooBoo
Copy link

GhostyBooBoo commented Jun 16, 2021

+ the immer vulnerability from ages ago that still hasnt been resolved.

I recognize that technically these may not actually cause vulnerabilities for our applications, but that is just such an unrealistic view of how things really work. Bureaucracy is going to bureaucracy, so not fixing these just causes headaches for so many people.

@shodmin
Copy link

shodmin commented Jun 16, 2021

Same there !!

monfresh added a commit to transcom/mymove that referenced this issue Jun 16, 2021
Last week, our builds started failing because of a vulnerability in
`react-scripts` and `node-sass`, and we have a Danger rule to run
`yarn audit` on the packages in the `dependencies` section.

The vulnerabilities haven't been fixed yet, and so to allow us to merge
PRs, we temporarily disabled the `checkYarnAudit` function in
`dangerfile.ts`.

While looking at the GitHub issues for these vulnerabilities that were
linked in our SEV-4 incident Google Doc, I came across this
[interesting comment](facebook/create-react-app#11092 (comment))
that says that in the `facebook/create-react-app` package,
`react-scripts` should be listed in `devDependencies`, not
`dependencies`.

That got me thinking whether the packages in our `dependencies` section
really belong there. AFAIK, sass is used in development and then gets
compiled to CSS when the client is built. It doesn't get used at
runtime. Similarly, `react-scripts` seems to be a development tool we
use to run `yarn build | eject | start | test`.

After putting both `node-sass` and `react-scripts` in `devDependencies`,
I deployed the app using our review bot and everything seems fine.

This allows us to turn the yarn audit check back on.
@ghost
Copy link

ghost commented Jun 17, 2021

I have the same issue, running on Win10, Npm7

# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of mini-css-extract-plugin
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

@bcagarwal
Copy link
Author

We don't see any attention to this issue and we don't know whether it would be fixed. Is there anyway we can get desired attention to this issue so that it would be fixed on priority?

@croraf
Copy link

croraf commented Jun 21, 2021

Can this be closed in favor of: #11012 ?

@rhalaly
Copy link

rhalaly commented Jun 28, 2021

These vulnerabilities have been around for a long time. Is there any plan to fix them??

@AndreGCRamos
Copy link

Same problem here...

@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

There are no actual vulnerabilities here.

Unfortunately, npm audit has no idea that these packages are development-only dependencies. From what I can tell, none of these "vulnerabilities" actually affect your application (or even development machine) in any way.

This is pure security theater. Which is unfortunate, because it teaches people to ignore real vulnerabilities (which these are not, in the context of how they're used in CRA).

Yes, it would be good to cut a patch to remove the warnings, but we are all unfortunately wasting time here.

@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

@gaearon gaearon closed this as completed Jul 2, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 2, 2021
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

Please see #11174.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests