Create-react-app: found 4982 low severity vulnerabilities using create-react-app

Created on 4 Jul 2020 · 21Comments · Source: facebook/create-react-app

Describe the bug

create-react-app showing message "found 4982 low severity vulnerabilities" after installing all dependencies.

Did you try recovering your dependencies?

Yes I did delete node_modules and package-lock.json and installed latest version of npm and then ran npm install but I still see the "found 4982 low severity vulnerabilities" message

Which terms did you search for in User Guide?

Environment

Environment Info:

current version of create-react-app: 3.4.1
running from C:UsersDELLAppDataRoamingnpmnode_modulescreate-react-app

System:
OS: Windows 10 10.0.18362
CPU: (8) x64 Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
Binaries:
Node: 12.18.1 - C:Program Filesnodejsnode.EXE
Yarn: Not Found
npm: 6.14.5 - C:Program Filesnodejsnpm.CMD
Browsers:
Edge: 44.18362.449.0
Internet Explorer: 11.0.18362.1
npmPackages:
react: ^16.13.1 => 16.13.1
react-dom: ^16.13.1 => 16.13.1
react-scripts: 3.4.1 => 3.4.1
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

(Write your steps here:)

open command-line or terminal
run npx create-react-app app-name
wait till all dependencies are installed

Expected behavior

it should show message similar to found 0 vulnerabilities

Actual behavior

terminal showing message "found 4982 low severity vulnerabilities"

Reproducible demo

https://github.com/Prajwal-Jadhav/test-app

bug report needs triage

Source

Prajwal-Jadhav

👍14 😕2 👀1

Most helpful comment

It has been fixed in webpack-dev-server (https://github.com/webpack/webpack-dev-server/releases/tag/v3.11.0), dep just needs updated

PaulInglis on 14 Jul 2020

🎉2 👍1

All 21 comments

I have the same problem today, i tried npm audit fix --force but still problem !

Maskoul on 4 Jul 2020

Same problem here with 4967 vulnerabilities.

crehds on 5 Jul 2020

😕1

somehow offtopic comment, trying to relax the atmosphere around something serious as 4000 audit fixes If you don't mind I will step closer and announce in our little circle of self-disappointment, that somebody is trying to bug and still holy wars between Adam and Ada are soap operas to watch

buahaha on 5 Jul 2020

Same problem here. When I run npm audit. It seems that most of the vulnerabilities are related to Lodash.

gabrielgnc94 on 5 Jul 2020

I believe it's related to this: https://npmjs.com/advisories/1523

Still no fix available?

kRyM1337 on 5 Jul 2020

is this zero-day?

buahaha on 5 Jul 2020

😄1

Even I am facing the same error.

m-code12 on 7 Jul 2020

Iam facing the same error, i have three working projects and i created new project too,every project is showing same error with slightly different no of errors.example of error is attached below,

Low Prototype Pollution

Package lodash

Patched in No patch available

Dependency of react-scripts

Path react-scripts > webpack-manifest-plugin > lodash

More info https://npmjs.com/advisories/1523

found 4982 low severity vulnerabilities in 1656 scanned packages
4982 vulnerabilities require manual review. See the full report for details.

stanlee1111000 on 7 Jul 2020

Same here, close to 5000 low severity vulnerabilities in create-react-app. What's the deal guys?

raynerhoward on 8 Jul 2020

😕1

Same here, seem like it mostly related to Lodash.

blackparadise0407 on 8 Jul 2020

hey, to clarify the issue, after npm audit fix the output says this modules needs manual attention.

my dependencies:

"react": "^16.13.1",
"react-dom": "^16.13.1",
"react-scripts": "3.4.1",

node --version
v13.11.0
npm --version
6.14.5

, and I'm not sure how to elaborate by facts...

buahaha on 8 Jul 2020

👍1

Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-manifest-plugin > lodash             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1523                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server > yargs > yargs-parser    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4982 low severity vulnerabilities in 1655 scanned packages
  run `npm audit fix` to fix 4981 of them.
  1 vulnerability requires manual review. See the full report for details.

buahaha on 8 Jul 2020

👍1

npm audit fix then:

updated 1 package in 12.807s

61 packages are looking for funding
  run `npm fund` for details

fixed 4981 of 4982 vulnerabilities in 1655 scanned packages
  1 vulnerability required manual review and could not be updated

buahaha on 8 Jul 2020

👍1

, and

npm audit

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server > yargs > yargs-parser    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 1655 scanned packages
  1 vulnerability requires manual review. See the full report for details.

buahaha on 8 Jul 2020

👍3

Iam facing the same error, i have three working projects and i created new project too,every project is showing same error with slightly different no of errors.example of error is attached below,

Low Prototype Pollution

Package lodash

Patched in No patch available

Dependency of react-scripts

Path react-scripts > webpack-manifest-plugin > lodash

More info https://npmjs.com/advisories/1523

found 4982 low severity vulnerabilities in 1656 scanned packages
4982 vulnerabilities require manual review. See the full report for details.

it fixed when i try npm audit fix

stanlee1111000 on 9 Jul 2020

👍1

5 days ago when I tried "npm audit fix", nothing happened. Today, when I tried "npm audit fix" all the problems have been solved.
Any idea, why?

crehds on 10 Jul 2020

👍1

It has been fixed in webpack-dev-server (https://github.com/webpack/webpack-dev-server/releases/tag/v3.11.0), dep just needs updated

PaulInglis on 14 Jul 2020

🎉2 👍1

Now there is a high severity issue too (in react-scripts > webpack > node-libs-browser > crypto-browserify > create-ecdh > elliptic).
Can it be fixed with up-to-date deps on a package?

dmythro on 30 Jul 2020

👍1

, and

npm audit

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server > yargs > yargs-parser    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 1655 scanned packages
  1 vulnerability requires manual review. See the full report for details.

any one has the idea on fixing this? tried the version 18.1.3

Michaelangelo-GrizzlyBear on 5 Aug 2020

cc @vigomesbr

jimmyandrade on 7 Aug 2020

Re: https://github.com/facebook/create-react-app/issues/9263#issuecomment-669087220.

There was no actual vulnerability here.

Please see my reply in https://github.com/facebook/create-react-app/issues/9033#issuecomment-671847777.

I've cut a release of react-scripts which includes a dependency bump necessary for the audit message to go away.

Re: https://github.com/facebook/create-react-app/issues/9263#issuecomment-666330997, this has already been solved transitively, it's not something we could have fixed even if we wanted to.