Create-react-app: 12969 High Vulnerabilities

Created on 12 Jul 2019  Â·  11Comments  Â·  Source: facebook/create-react-app

Describe the bug

Running npx create-react-app dummyapp --typescript generates 12969 high severity vulnerabilities.

Have you done all these steps and still see the issue?
yes

Npm version

6.4.1

Environment

npx create-react-app --info

npx: installed 91 in 13.567s                               

Environment Info:                                          

  System:                                                  
    OS: Windows 10                                         
    CPU: (8) x64 Intel(R) Xeon(R) CPU E5-1620 v4 @ 3.50GHz 
  Binaries:                                                
    Node: 10.15.0 - C:\Program Files\nodejs\node.EXE       
    Yarn: Not Found                                        
    npm: 6.4.1 - C:\Program Files\nodejs\npm.CMD           
  Browsers:                                                
    Edge: 41.16299.1004.0                                  
    Internet Explorer: 11.0.16299.371                      
  npmPackages:                                             
    react: ^16.8.6 => 16.8.6                               
    react-dom: ^16.8.6 => 16.8.6                           
    react-scripts: 3.0.1 => 3.0.1                          
  npmGlobalPackages:                                       
    create-react-app: Not Found

Steps to reproduce

  1. npx create-react-app dummyapp --typescript

Expected behavior

no vulnerabilities

Actual behavior

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...


> [email protected] postinstall C:\Users\hloudin\source\tests\dummyappv2\node_modules\babel-runtime\node_modules\core-js
> node scripts/postinstall || echo "ignore"


> [email protected] postinstall C:\Users\hloudin\source\tests\dummyappv2\node_modules\core-js-pure
> node scripts/postinstall || echo "ignore"

+ @types/[email protected]
+ @types/[email protected]
+ [email protected]
+ @types/[email protected]
+ [email protected]
+ [email protected]
+ @types/[email protected]
+ [email protected]
added 1418 packages from 765 contributors and audited 902148 packages in 101.201s
found 12969 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details
We detected TypeScript in your project (src\App.test.tsx) and created a tsconfig.json file for you.

Your tsconfig.json has been populated with default values.


Initialized a git repository.

Success! Created dummyappv2 at C:\Users\hloudin\source\tests\dummyappv2
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd dummyappv2
  npm start

Happy hacking!

Reproducible demo

bug
Source
picture Hyjaz
👍2

Most helpful comment

There's a "vulnerability" in set-value, and it's apparently used everywhere. Hopefully https://github.com/jonschlinkert/set-value/issues/16 gets attention and we don't need to worry about this. Maybe there are other things but I'm not sure.

picture heyimalex on 12 Jul 2019
👍2

All 11 comments

There's a "vulnerability" in set-value, and it's apparently used everywhere. Hopefully https://github.com/jonschlinkert/set-value/issues/16 gets attention and we don't need to worry about this. Maybe there are other things but I'm not sure.

heyimalex picture heyimalex on 12 Jul 2019
👍2

I have the same issue. Apparently the vulnerability in set-value is fixed in 3.0.1 but everything is pulling in 2.0.1.

rudpot picture rudpot on 12 Jul 2019
👍1

Same...

chaosZeroFive picture chaosZeroFive on 12 Jul 2019

I saw it when I installed lodash

chaosZeroFive picture chaosZeroFive on 12 Jul 2019
👍1

This is not a real “vulnerability” in the context of Create React App because it produces static bundles. So it can’t possibly affect you in any way.

The false positive warnings are unfortunate.

gaearon picture gaearon on 12 Jul 2019

Are these all related to the Prototype Pollution in lodash? https://www.npmjs.com/advisories/1012

rxgx picture rxgx on 12 Jul 2019

I just got an email back from npm security for advisory 1012, they added 2.0.1 to remediated. I think we're still dealing with 1013/mixin-deep, but I'll check shortly.

Edit: Actually looks like we're all clear!

heyimalex picture heyimalex on 13 Jul 2019
🎉1

I just ran audit and got 0 vulnerabilities...

chaosZeroFive picture chaosZeroFive on 13 Jul 2019

I'm using react-scripts 2.1.5.
I Just ran "npm audit", which shows 285 high vulnerabilities. It seems they all come from "mixin deep" and "set value".

carpben picture carpben on 14 Jul 2019

@carpben It's nothing to worry about, but if you recover your dependencies it should go away. You could try npm --depth 999 update set-value && npm --depth 999 update mixin-deep, or just rm -rf node_modules && rm -f yarn.lock && rm -f package-json.lock && npm install.

heyimalex picture heyimalex on 14 Jul 2019

Thanks @heyimalex .
I deleted node modules and package-lock.json , and ran "npm i". It's much better now, but there are still 5 high vulnerabilities all from "tar" package.

carpben picture carpben on 15 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jnachtigall picture jnachtigall  Â·  3Comments
Aranir picture Aranir  Â·  3Comments
adrice727 picture adrice727  Â·  3Comments
onelson picture onelson  Â·  3Comments
rdamian3 picture rdamian3  Â·  3Comments