-
-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
96 vulnerabilities after running npx create-react-app my-app command #11092
Comments
I got the same result |
i got this too |
same problem |
1 similar comment
same problem |
Does not justify another tread, I have a similar issue with create-react-app. I use Windows 10 with VSCode. "dependencies": { ---- I deleted "react-scripts": "^4.0.3", from the file package.json. Found that Uninstalling react-scripts returns the following.
3 packages are looking for funding found 0 vulnerabilities ---- But wait need react-scripts to work. I tried a different version from 4 months ago, but got the same results.
Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library! The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:
Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)
Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/) npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.3 (node_modules\react-scripts\node_modules\fsevents):
145 packages are looking for funding found 86 vulnerabilities (82 moderate, 4 high) |
Secondly, running npm init and then npx can solve the above problem; but a new problem has emerged: My project is MyReact / my-app, why does MyReact prompt an error? Is it because I am running npx under MyReact? (But if npx runs in the root directory, it will report an error “npm ERR! 404 Not Found - GET https://registry.npmjs.com/creat-react-app - Not found” and cannot be run directly.) |
Same here. |
Thanks to everyone who commented and it seems everyone is facing the same issue. What is the solution to this issue? |
@bcagarwal The more comments, the more visibility to the issue. Asking again is useless. |
@DancingColors Got it. Thank you. |
Node JS version 14.16.1 |
Upgrade npm to npm7 |
The problems encountered during the two days of learning this step (win10, nodejsv14.17.0):
Supplement: 4.2 Unresolved errors: When the installation reaches 3/4, there will be two error messages, and no solution has been found yet. 这两天学习这一步遇到的问题(win10,nodejsv14.17.0): 1.提示404 补充:4.2 未解决的错误: 安装到3/4时,会有两个错误提示,暂未找到解决办法。 |
A lot of this has to do with the fact that react-scripts is added as a dependency in stead of a devDependency. Technically, the vulnerabilities will not be deployed unless they are also dependencies of your package or another dependency that will get deployed. I have proposed here that react-scripts should be a devDependency again so we don't have to ignore a bunch of vulnerabilities every few weeks. Edit: fixed link |
Is adding a label required? If yes, I am unable to do so. Could someone please help to add a label to this issue? |
This is extremely important to be fixed as soon as possible. |
Big upvote on the necessity of fixing that one. It's truly annoying to see it every single time. |
Im having the same issue. Node: 16.3.0 |
+ the immer vulnerability from ages ago that still hasnt been resolved. I recognize that technically these may not actually cause vulnerabilities for our applications, but that is just such an unrealistic view of how things really work. Bureaucracy is going to bureaucracy, so not fixing these just causes headaches for so many people. |
Same there !! |
Last week, our builds started failing because of a vulnerability in `react-scripts` and `node-sass`, and we have a Danger rule to run `yarn audit` on the packages in the `dependencies` section. The vulnerabilities haven't been fixed yet, and so to allow us to merge PRs, we temporarily disabled the `checkYarnAudit` function in `dangerfile.ts`. While looking at the GitHub issues for these vulnerabilities that were linked in our SEV-4 incident Google Doc, I came across this [interesting comment](facebook/create-react-app#11092 (comment)) that says that in the `facebook/create-react-app` package, `react-scripts` should be listed in `devDependencies`, not `dependencies`. That got me thinking whether the packages in our `dependencies` section really belong there. AFAIK, sass is used in development and then gets compiled to CSS when the client is built. It doesn't get used at runtime. Similarly, `react-scripts` seems to be a development tool we use to run `yarn build | eject | start | test`. After putting both `node-sass` and `react-scripts` in `devDependencies`, I deployed the app using our review bot and everything seems fine. This allows us to turn the yarn audit check back on.
I have the same issue, running on Win10, Npm7
|
We don't see any attention to this issue and we don't know whether it would be fixed. Is there anyway we can get desired attention to this issue so that it would be fixed on priority? |
Can this be closed in favor of: #11012 ? |
These vulnerabilities have been around for a long time. Is there any plan to fix them?? |
Same problem here... |
There are no actual vulnerabilities here. Unfortunately, This is pure security theater. Which is unfortunate, because it teaches people to ignore real vulnerabilities (which these are not, in the context of how they're used in CRA). Yes, it would be good to cut a patch to remove the warnings, but we are all unfortunately wasting time here. |
These warnings are false positives. There are no actual vulnerabilities affecting your app here. To fix That will remove the false positive warnings. I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings. If you want to discuss this, please comment in #11102. |
Please see #11174. |
While executing the command
npx create-react-app my-app
, I am gettingPlease check.
I tried to run
npm audit fix
andnpm audit fix --force
, but it didn't help.The text was updated successfully, but these errors were encountered: