Moderate vulnerabilities when running npx create-react-app

[christopherlim98]

I get 20 moderate vulnerabilities when running npx create-react-app. Running npm audit fix does not fix it. Was wondering if this has been reported?

# npm audit report

hosted-git-info  <3.0.8

Severity: moderate
Regular Expression Deinal of Service - https://npmjs.com/advisories/1677
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/hosted-git-info
  normalize-package-data  2.0.0 - 2.5.0
  Depends on vulnerable versions of hosted-git-info
  node_modules/normalize-package-data
    read-pkg  <=5.2.0
    Depends on vulnerable versions of normalize-package-data
    node_modules/@jest/core/node_modules/read-pkg
    node_modules/@jest/reporters/node_modules/read-pkg
    node_modules/jest-config/node_modules/read-pkg
    node_modules/jest-resolve/node_modules/read-pkg
    node_modules/jest-runner/node_modules/read-pkg
    node_modules/jest-runtime/node_modules/read-pkg
    node_modules/jest-snapshot/node_modules/read-pkg
    node_modules/read-pkg
      read-pkg-up  <=7.0.1
      Depends on vulnerable versions of read-pkg
      node_modules/@jest/core/node_modules/read-pkg-up
      node_modules/@jest/reporters/node_modules/read-pkg-up
      node_modules/jest-config/node_modules/read-pkg-up
      node_modules/jest-resolve/node_modules/read-pkg-up
      node_modules/jest-runner/node_modules/read-pkg-up
      node_modules/jest-runtime/node_modules/read-pkg-up
      node_modules/jest-snapshot/node_modules/read-pkg-up
      node_modules/read-pkg-up
        eslint-plugin-import  >=2.3.0
        Depends on vulnerable versions of read-pkg-up
        node_modules/eslint-plugin-import
          eslint-config-react-app  2.0.0 - 3.0.0-next.fb6e6f70 || >=6.0.0-next.64
          Depends on vulnerable versions of eslint-plugin-import
          node_modules/eslint-config-react-app
            react-scripts  >=1.0.11
            Depends on vulnerable versions of eslint-config-react-app
            Depends on vulnerable versions of eslint-plugin-import
            Depends on vulnerable versions of jest-resolve
            node_modules/react-scripts
        jest-resolve  25.4.0 - 26.4.0 || 26.5.2 - 26.6.2
        Depends on vulnerable versions of read-pkg-up
        node_modules/@jest/core/node_modules/jest-resolve
        node_modules/@jest/reporters/node_modules/jest-resolve
        node_modules/jest-config/node_modules/jest-resolve
        node_modules/jest-resolve
        node_modules/jest-runner/node_modules/jest-resolve
        node_modules/jest-runtime/node_modules/jest-resolve
        node_modules/jest-snapshot/node_modules/jest-resolve
          @jest/core  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/@jest/core
            jest  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of @jest/core
            node_modules/jest
            jest-cli  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of @jest/core
            node_modules/jest-cli
          @jest/reporters  25.4.0 - 25.5.1 || 26.5.2 - 26.6.2
          Depends on vulnerable versions of jest-resolve
          node_modules/@jest/reporters
          jest-config  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-config
          jest-runner  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-runner
            jest-circus  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-runner
            Depends on vulnerable versions of jest-runtime
            node_modules/jest-circus
          jest-runtime  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-runtime
            @jest/test-sequencer  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-runtime
            node_modules/@jest/test-sequencer
            jest-jasmine2  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-runtime
            node_modules/jest-jasmine2
          jest-snapshot  25.4.0 - 25.5.1 || 26.5.2 - 26.6.2
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-snapshot
            jest-resolve-dependencies  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-snapshot
            node_modules/jest-resolve-dependencies

20 moderate severity vulnerabilities

[aleleba]

I get same vulnerability report, I confirm it is true.

[jdmann]

When we run yarn audit, we get similar warnings about hosted-git-info, which needs to be upgraded to 3.0.8. This relates to an issue reported just today (May 6th, 2021).

https://www.npmjs.com/advisories/1677

react-scripts uses hosted-git-info as a dependency, so it will need to upgraded to the patched version.

[RubenFern]

That happens to me too. The same vulnerabilities

[stelladraco27]

Can confirm the same, not sure if I should wait to create the app or just go ahead and ignore the vulnerabilities. Will an update fixing those issues break my app?

[bsubba]

I have the same warning: hosted-git-info

[klaytoncavalcante]

I can confirm.
I see other packages with the same info in my project, but react-scripts is the one with most mentions in npm audit:
There are two mentions of node-sass, 86 mentions of react-scripts and one of eslint-plugin-import in my project audit result.
All of them related to the issue with hosted-git-info: https://www.npmjs.com/advisories/1677

The advisory says it's fixed on version 3.0.8 of hosted-git-info.

[benayat]

same here, and I got 80

[aleleba]

Another Vulnerability:
Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=8.2.10 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > resolve-url-loader > postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1693

[kpotter-m2]

Another Vulnerability:
Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=8.2.10 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > resolve-url-loader > postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1693

see #10945 for that exact issue

[jarnohenneman]

Is there already a solution for this? - getting annoyed with the number of emails from security teams complaining about it.

[FHomes]

Same but I'm not getting "found 79 moderate severity vulnerabilities"

[KarahanGuner]

I am also getting 79 moderate severity vulnerabilities. Npm audit fix did not work.

[Black996]

I am also getting 87 vulnerabilities (81 moderate, 6 high) when using npx create-react-app
it was previously 80 vulnerabilities but now they're 87
is there any solution for this?

[ShepSims]

Dang thought I'd gotten the new record but @Black996 beat me to it. Create-react-app confirmed up to 87 vulnerabilities (81 moderate, 6 high) now

[kvicera]

I also have 81 vulnerabilities (80 moderate, 1 high). What's weird is updating the package concerned seems to do nothing. Am I missing something here?

Also tried via yarn, got 186 vulnerabilities related to react-scripts instead but its the same stuff.

[danipurwadi]

@kvicera it's because the newest version of react-scripts uses the old version of some of its dependencies, so updating the other package won't help as the react-scripts still needs the older version. But yea I have the same issue, I hope they fix this soon

[njh18]

Is it possible to use an older version instead?

[klaytoncavalcante]

I believe that what is needed to be done is react-script maintainers to update the affected package in react-scripts dependencies, as suggested in the advisory: https://www.npmjs.com/advisories/1677

But I don't know what is the impact of this and it seems like this is not a priority right now.

[Geulky17]

Has anyone found a solution to this yet?

[nishadmm]

also I have this same issue....87 vulnerabilities (81 moderate, 6 high)
Any solution

[MattjackBrown]

yup same here, running npx create-react-app shows 81 vulnerabilities (80 moderate, 1 high).

All 80 moderate vulnerabilities are: https://www.npmjs.com/advisories/1693

The high vulnerability is: https://www.npmjs.com/advisories/1745

[nexun]

I come for the same warning

[milewsa3]

Have someone fixed that error already?

[AryaBuddha]

Same issue here. Forcing the audit to fix returns even more errors, I hope they fix this soon.

[FranklynCodes]

Also the browserlist package needs to be updated in the react-scripts package.

[rkpande20]

Any update on the fix for this issue?

[kdfriedman]

Same issue here. Checking for any new updates.

[bgramaje]

same issue huere!

[Josenegrin]

I have the same issues but is more.
87 moderate vulnerabilities and 10 high x_X.

I'll try uninstall -g create-react-app and install -g create-react-app
install -g react-scripts

and the vulnerabilities contiue

[jacobbroughton]

Yepp, I'm getting 85 moderate, and 11 high vulnerabilities showing...

[flooyd]

82 moderate 4 high :(

[vamshikrishnadn]

Same issue even i got 86 vulnerabilities while creating the new react app.... Try to solve it soon.

[lanxeon]

Same, 86 vulnerabilities(82 moderate, 4 high) on a freshly created project. audit fix does nothing.

[Wjpayne]

I also get the same, 86 vulnerabilities(82 moderate, 4 high) on a freshly created project. audit fix does nothing. I suppose I will just ignore them for now.

[phutngo]

Same, 86 vulnerabilities(82 moderate, 4 high) on a freshly created project. audit fix does nothing.

I get the exact same results.

[penavincent]

Same here. A newly made react app using the typescript template will get you 96 vulnerabilities (85 moderate, 11 high) right off the bat.

[kimjusang]

found 86 vulnerabilities (82 moderate, 4 high)

[DevHamzaa]

when the hell its gonna resolve any update regarding this?

[koushikchoudhury0]

Vulnerabilities went from 47 to 87 after I ran audit fix --force

[DevHamzaa]

somehow able to reduce to 13 moderate Vulnerabilities
people who are learning can use this ig
download the repo and read the readme file and use it till the issue completely fixed by developers
https:/DevHamzaa/simple-react-setup-master

[radbahi]

this shouldn't affect any projects, right? i got 85 moderate and 11 high. just started a new tutorial.

[ghost]

I also have same concern. Will it be dangerous for my ongoing projects with firebase

[norogoth]

I seem to be getting a similar warning.

[Gaulepal]

same issue so far

[Davydx7]

Found 8 vulnerabilities: 4moderate, 4 high

[crazysamurai]

I'm having the same issue when I tried to update packages on a project.

[diveshkswn]

Same for me.

[mk-16]

Same Here

[ussserrr]

No wonder, I think:

added 1921 packages, and audited 1922 packages in 2m

Actually, I think there are not so many of them, considering the amount of dependencies :D

[Sonatai]

I created a new React App with the commands in the docu.
I have 5 vulnerabilities, npm audit fix --force didnt helped 🤷‍♀️

[gaearon]

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.