Rethink decision to make react-scripts a dependency instead of a devDependency #11102
Comments
|
I moved npm version |
|
@rvramesh You're correct. The vulnerabilities will only be ignored when you run |
Thank you for the clarification. It helps |
|
Good proposal IMHO. However I guess dev environments are also considered for security related issues. It's sometimes harder to use exploits on dev environments, but it still happens.
Seems faster security related updates would be a better fix, but moving react-scripts to devDependencies would still be an improvement. |
|
Yes please. Want to send a PR? |
note that react-scripts is also moved to devDependencies. CRA is a build tool and thus do not truly belong in dependencies. See their own argument: facebook/create-react-app#11102 this allows npm audit --production to raise any real vulnerabilities
…devDependencies (#2313) * chore: update dependabot to also run on form-v2/develop branch * chore: run npm audit and npm update * chore: move most tooling packages to devDependencies note that react-scripts is also moved to devDependencies. CRA is a build tool and thus do not truly belong in dependencies. See their own argument: facebook/create-react-app#11102 this allows npm audit --production to raise any real vulnerabilities * chore: add cache flag to eslint command in .lintstagedrc
|
I want to, but it's probably a little more involving than just rolling back PR 2657. If the original rationale is still valid, these issues should be fixed first, or at least be opened here. This could take some time (away for summer vacation). |
|
The broader discussion is happening in #11174. |
- false positives being alerted on npm audit - fixed by moving reacts-scriptsto devDependencies as per; facebook/create-react-app#11102
* reorganise file locations * fixed npm audit dependencies issue - false positives being alerted on npm audit - fixed by moving reacts-scriptsto devDependencies as per; facebook/create-react-app#11102 * Basic Google Map Implementation 🗺 - Includes Initial unstyled Marker and Popup
|
yea, I got those vulnerabilities too! Anyone knows how to fix it ? |
Same here. I moved react-scripts from dependencies to devDependencies in package.json and still have the same vulnerabilities when running npm audit fix. |
samesies, 58 |
|
Well, I ran npm audit --production like discussed in #11174 and it found 0 vulnerabilities. I think it's solved |
|
Though "npm audit --production" shows 0 vulnerability, I can't run scripts from command line such as "npm start", "npm run build" and etc. |
|
I ran npm audit --production and moved my react-scripts to devDependencies and still getting the error. This is all new, My files were opening fine a few days ago |
|
Besides the audit, there may be another reason to move all(!) dependencies to devDependencies. In my monorepo I have distinct packages for frontend and backend, where the frontend is a react-app (obviously!). Through a package dependency the front-end is included into the backend. The benefit of this approach is that the CICD pipeline knows (leveraging multi-semantic-release) that when the client package version is bumped, the server version needs to be bumped as well (which bump triggers an actual deployment down the line). In the end, the server is only interested in the output in the build folder. However installing the app as dependency will also install all the specified app-dependencies which are not necessary in production. So my suggestion:
To make the package easier to use I would recommend the following:
This will allow people to simple do something like Hope this makes sense, |
and others
Is your proposal related to a problem?
The decision to make react-scripts a dependency causes a lot of issues regarding perceived security vulnerabilities. Even though the issues themselves are technically harmless, these issues often break CI/CD flows and/or end up being reported here as actual issues.
Describe the solution you'd like
The decision to make react-scripts a dependency was in my opinion ill-conceived. There are issues with having react-scrips a devDependency as stated in the original pull request:
npm auditare dependent on this distinction.In my opinion, a shortcut was taken to work around some problems that should have been fixed separately.
Describe alternatives you've considered
It's possible to move react-scripts to devDependencies by hand, or to eject your React application. Both solve the problem (afaict) but a lot of people are not willing to do this or are unaware of the possibility.
Another possibility would be for the developers to update dependencies whenever a vulnerability pops up as fast as possible, and/or to help developers of dependent package to fix their dependencies. Maybe get Facebook to throw some money behind a React Vulnerability Strike Team (tm) or something.
Additional context
One way or another a solution is needed. Every time some vulnerability pops up I see a lot of frustration in the comments. Even though someone always politely explains the actual security implications, there are always a few people saying (and probably more people thinking) that you don't actually care that much about security. Rationally I know this not to be true, but I get frustrated as well sometimes (I'm only human after all).
The text was updated successfully, but these errors were encountered: