Npx create-react-app: 8 vulnerabilities (2 moderate, 6 high)

[josegabrielc]

Describe the bug

When I create a new npx create-react-app application and install any dependencies I receive the message: 8 vulnerabilities (2 moderate, 6 high)

Did you try recovering your dependencies?

I've already started other projects from scratch and also performed global npm updates. Unsuccessful.

Environment

Environment Info:

current version of create-react-app: 5.0.1
running from C:\Users\joseg\AppData\Local\npm-cache_npx\c67e74de0542c87c\node_modules\create-react-app

System:
OS: Windows 11 10.0.22631
CPU: (16) x64 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz
Binaries:
Node: 22.2.0 - C:\Program Files\nodejs\node.EXE
Yarn: Not Found
npm: 10.8.1 - C:\Program Files\nodejs\npm.CMD
Browsers:
Chrome: Not Found
Edge: Chromium (125.0.2535.92)
Internet Explorer: 11.0.22621.3527
npmPackages:
react: ^18.3.1 => 18.3.1
react-dom: ^18.3.1 => 18.3.1
react-scripts: 5.0.1 => 5.0.1
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

1. npx create-react-app .

Expected behavior

The correct thing would be not to show any type of error.

Actual behavior

Imagem from error:

After run npm fund

[samiul123]

Can I take this issue?

[HaiJunCai8]

Has this issue been resolved? I am now encountering the same problem. After installing react-scripts@5.0.1, a security vulnerability has emerged, and it urgently needs to be addressed.

[nuxy]

Experiencing the same issue when creating a new TypeScript application.

$ create-react-app project --template
Creating a new React app in /home/work/project.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template-typescript...


added 1482 packages in 32s

262 packages are looking for funding
  run `npm fund` for details

Initialized a git repository.

Installing template dependencies using npm...

added 41 packages, removed 1 package, and changed 2 packages in 6s

262 packages are looking for funding
  run `npm fund` for details

We detected TypeScript in your project (src/App.test.tsx) and created a tsconfig.json file for you.

Your tsconfig.json has been populated with default values.

Removing template package using npm...

removed 1 package, and audited 1522 packages in 3s

262 packages are looking for funding
  run `npm fund` for details

8 vulnerabilities (2 moderate, 6 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Any installs beyond this point are met with the same error above.

[HaiJunCai8]

The following code can be added to the package.json file to resolve the issue:

"overrides": {
"react-scripts": {
"@svgr/webpack": "8.1.0",
"typescript": "4.9.5",
"postcss": "8.4.38"
}
}

[anwarattiq]

Facing this issue after creating npx create react app . please help me to resolve

[Alama32]

Exactement le même problème, que ce soit avec React 18.0.0. que 18.3.1. l'audit fix ne change rien et audit fix --force, démoli tout, énormément plus d'erreurs, et application inutilisable.

[Alama32]

Le code suivant peut être ajouté au fichier package.json pour résoudre le problème :

"remplace" : { "react-scripts": { "@svgr/webpack": "8.1.0", "typescript": "4.9.5", "postcss": "8.4.38" } }

Ca ne fonctionne pas pour moi, ce code me donner des erreur de lint

[josegabrielc]

The following code can be added to the package.json file to resolve the issue:

"overrides": { "react-scripts": { "@svgr/webpack": "8.1.0", "typescript": "4.9.5", "postcss": "8.4.38" } }

By adding these rules to package.json I no longer have errors reported.
Why doesn't react itself update these libs in the current version of react-scripts?
Are they too busy in v19?

For those who couldn't:

1. Delete node_modules and package-lock.json
2. Add the code block like this:
   
3. Run "npm install" on cmd

[devilphenom]

Client Vulnerabilities:

To address the 8 vulnerabilities, I updated the package.json with the following overrides and then reinstalled the dependencies:

"overrides": {
"react-scripts": {
"@svgr/webpack": "8.1.0",
"typescript": "4.9.5",
"postcss": "8.4.38"
}
}

This action resolved the vulnerabilities.

[JhoanMuriCh]

Se puede agregar el siguiente código al archivo package.json para resolver el problema:
"anulaciones": { "react-scripts": { "@svgr/webpack": "8.1.0", "typescript": "4.9.5", "postcss": "8.4.38" } }

Al agregar estas reglas a package.json, ya no se informan más errores. ¿Por qué React no actualiza estas bibliotecas en la versión actual de React-Scripts? ¿Están demasiado ocupadas en la versión 19?

Para aquellos que no pudieron:

1. Eliminar node_modules y package-lock.json
2. Añade el bloque de código de la siguiente manera:
   
3. Ejecute "npm install" en cmd

Thanks, i could able to solve all the vulnerabilities.