Create-react-app: "found 1 low severity vulnerability" warning while creating React App using "npx create-react-app" command.
Describe the bug
While creating React-App using npx create-react-app command this warning comes:
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Did you try recovering your dependencies?
Tried: npm install -g npm@latest
Which terms did you search for in User Guide?
(Write your answer here if relevant.)
Environment
current version of create-react-app: 3.4.1
System:
OS: Windows 10 10.0.19041
CPU: (8) x64 Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
Binaries:
Node: 12.18.2 - C:\Program Files\nodejs\node.EXE
Yarn: Not Found
npm: 6.14.7 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: 44.19041.1.0
Internet Explorer: 11.0.19041.1
npmPackages:
react: ^16.13.1 => 16.13.1
react-dom: ^16.13.1 => 16.13.1
react-scripts: 3.4.1 => 3.4.1
npmGlobalPackages:
create-react-app: Not Found
Steps to reproduce
- When we run create-react-app this issue arises.
Expected behavior
To create a React App without any low severity vulnerability
Actual behavior
found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Path react-scripts > webpack-dev-server > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
found 1 low severity vulnerability in 1641 scanned packages
1 vulnerability requires manual review. See the full report for details.
Reproducible demo
npx create-react-app
sunilpoojari
All 9 comments
I have the same problem.
node v12.18.1
npm 6.14.6
snhasani
on 26 Jul 2020
Looks like this has already been fixed and merged in #8529 and #8975. Vulnerability warning for yargs-parser will not after next release of create-react-app (currently 3.4.1)
j1mr10rd4n
on 27 Jul 2020
Is there a schedule for the next release, or a list of items you want done before it that we could keep track of?
paulius-valiunas
on 28 Jul 2020
The security vulnerability is from yargs-parser. This issue was previously reported here as #9033, which is now closed.
It seems we are expected to wait for version 4.0 for this issue to be resolved.
In my opinion, there should be a version 3.4.2 patch release that fixes the issue, since expecting people to upgrade to a new major version is not really a solution.
I am happy to do the necessary PR and related steps if someone can point me in the right direction...
rikoe
on 29 Jul 2020
Would love some insight on whether we are expected to wait for 4.0 or if we can get a 3.4.2 release…
tbremer
on 5 Aug 2020
I have the same problem.
node v12.18.1 npm 6.14.6
I have the same problem if you fixed then please help me.
ambujverma
on 7 Aug 2020
cc @vigomesbr
jimmyandrade
on 7 Aug 2020
Please see my reply in https://github.com/facebook/create-react-app/issues/9033#issuecomment-671847777.
There was no actual vulnerability here but we released [email protected] to address the warning.
gaearon
on 11 Aug 2020
Thanks for following up and taking care of the warning!
tbremer
on 11 Aug 2020
Related issues
Evan-GK
·
3Comments
rdamian3
·
3Comments
fson
·
3Comments
fson
·
3Comments
alleroux
·
3Comments
Most helpful comment
The security vulnerability is from
yargs-parser. This issue was previously reported here as #9033, which is now closed.It seems we are expected to wait for version 4.0 for this issue to be resolved.
In my opinion, there should be a version 3.4.2 patch release that fixes the issue, since expecting people to upgrade to a new major version is not really a solution.
I am happy to do the necessary PR and related steps if someone can point me in the right direction...