"found 1 low severity vulnerability" warning while creating React App using "npx create-react-app" command.

[sunilpoojari]

Describe the bug

While creating React-App using npx create-react-app command this warning comes:

found 1 low severity vulnerability
    run `npm audit fix` to fix them, or `npm audit` for details

Did you try recovering your dependencies?

Tried: npm install -g npm@latest

Which terms did you search for in User Guide?

(Write your answer here if relevant.)

Environment

current version of create-react-app: 3.4.1

System:

    OS: Windows 10 10.0.19041
    CPU: (8) x64 Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
Binaries:

    Node: 12.18.2 - C:\Program Files\nodejs\node.EXE
    Yarn: Not Found
    npm: 6.14.7 - C:\Program Files\nodejs\npm.CMD
Browsers:

    Edge: 44.19041.1.0
    Internet Explorer: 11.0.19041.1

npmPackages:

    react: ^16.13.1 => 16.13.1
    react-dom: ^16.13.1 => 16.13.1
    react-scripts: 3.4.1 => 3.4.1

npmGlobalPackages:

    create-react-app: Not Found

Steps to reproduce

1. When we run create-react-app this issue arises.

Expected behavior

To create a React App without any low severity vulnerability

Actual behavior

found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details

                === npm audit security report ===                        


                        Manual Review                                  
    Some vulnerabilities require your attention to resolve             
                                                                            
    Visit https://go.npm.me/audit-guide for additional guidance           
    Low             Prototype Pollution                                           

    Package         yargs-parser                                                  

    Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2              

    Path            react-scripts > webpack-dev-server > yargs > yargs-parser

    More info       https://npmjs.com/advisories/1500

    found 1 low severity vulnerability in 1641 scanned packages
    1 vulnerability requires manual review. See the full report for details.

Reproducible demo

npx create-react-app

[snhasani]

I have the same problem.

node v12.18.1
npm 6.14.6

[j1mr10rd4n]

Looks like this has already been fixed and merged in #8529 and #8975. Vulnerability warning for yargs-parser will not after next release of create-react-app (currently 3.4.1)

[paulius-valiunas]

Is there a schedule for the next release, or a list of items you want done before it that we could keep track of?

[rikoe]

The security vulnerability is from yargs-parser. This issue was previously reported here as #9033, which is now closed.

It seems we are expected to wait for version 4.0 for this issue to be resolved.

In my opinion, there should be a version 3.4.2 patch release that fixes the issue, since expecting people to upgrade to a new major version is not really a solution.

I am happy to do the necessary PR and related steps if someone can point me in the right direction...

[tbremer]

Would love some insight on whether we are expected to wait for 4.0 or if we can get a 3.4.2 release…

[ambujverma]

I have the same problem.

node v12.18.1
npm 6.14.6

I have the same problem if you fixed then please help me.

[jimmyandrade]

cc @vigomesbr

[gaearon]

Please see my reply in #9033 (comment).

There was no actual vulnerability here but we released react-scripts@3.4.2 to address the warning.

[tbremer]

Thanks for following up and taking care of the warning!