Npm vulnerabilities can't be fixed

5
votes

I started learning react and created my first app by running:

'npx create-react-app my-app'

After the app was built I got a warning in the terminal that says:

22 vulnerabilities (9 moderate, 13 high)

I tried to fix it by running:

'npm audit fix'

But it returned this:

npm ERR! code ERESOLVE npm ERR! ERESOLVE unable to resolve dependency tree npm ERR! npm ERR! Found: [email protected] npm ERR! node_modules/type-fest npm ERR! type-fest@"^0.21.3" from [email protected] npm ERR! node_modules/ansi-escapes npm ERR! ansi-escapes@"^4.2.1" from @jest/[email protected] npm ERR! node_modules/@jest/core npm ERR! @jest/core@"^26.6.0" from [email protected] npm ERR! node_modules/jest npm ERR! peer jest@"^26.0.0" from [email protected] npm ERR! node_modules/jest-watch-typeahead npm ERR! 1 more (react-scripts) npm ERR! 1 more (jest-cli) npm ERR! ansi-escapes@"^4.3.1" from [email protected] npm ERR! node_modules/jest-watch-typeahead npm ERR! jest-watch-typeahead@"0.6.1" from [email protected] npm ERR! node_modules/react-scripts npm ERR! react-scripts@"4.0.3" from the root project npm ERR! 2 more (jest-watcher, terminal-link) npm ERR! npm ERR! Could not resolve dependency: npm ERR! peerOptional type-fest@"^0.13.1" from @pmmmwh/[email protected] npm ERR! node_modules/@pmmmwh/react-refresh-webpack-plugin npm ERR! @pmmmwh/react-refresh-webpack-plugin@"0.4.3" from [email protected] npm ERR! node_modules/react-scripts npm ERR! react-scripts@"4.0.3" from the root project npm ERR! npm ERR! Fix the upstream dependency conflict, or retry npm ERR! this command with --force, or --legacy-peer-deps npm ERR! to accept an incorrect (and potentially broken) dependency resolution. npm ERR! npm ERR! See /home/azizdragon/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in: npm ERR!
/home/azizdragon/.npm/_logs/2021-06-23T03_09_31_663Z-debug.log

I tried deleting the package-lock.json file and node_modules folder and run:

npm install

But it resulted in the same vulnerabilities, here is the report when I run "npm audit":

browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service - https://npmjs.com/advisories/1747 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils >=6.0.0-next.03604a46 Depends on vulnerable versions of browserslist node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts

css-what <5.0.1 Severity: high Denial of Service - https://npmjs.com/advisories/1754 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/svgo/node_modules/css-what css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/svgo/node_modules/css-select svgo >=1.0.0 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo * Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack >=4.0.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-svgo >=4.0.0-nightly.2020.1.9 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.4 || 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin

glob-parent <5.1.2 Severity: moderate Regular expression denial of service - https://npmjs.com/advisories/1751 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/watchpack-chokidar2/node_modules/glob-parent node_modules/webpack-dev-server/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 3.11.2 Depends on vulnerable versions of chokidar node_modules/webpack-dev-server @pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4 Depends on vulnerable versions of webpack-dev-server node_modules/@pmmmwh/react-refresh-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts

normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/1755 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/normalize-url node_modules/postcss-normalize-url/node_modules/normalize-url
mini-css-extract-plugin 0.6.0 - 1.0.0 Depends on vulnerable versions of normalize-url node_modules/mini-css-extract-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-normalize-url <=4.0.1 Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.4 || 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin

22 vulnerabilities (9 moderate, 13 high)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

Should I use npm audit fix --force? If it helps, I run Linux Mint 18.3 Cinnamon 64-bit Node version: v16.0.0 NPM version: 7.18.1

Thanks in advance.

1
javascriptnode.jsreactjslinuxnpm
Run npm audit fix a few more times, then I think the moderate number should decrease or the warnings will decrease each time and actually work again. I once solved it that way. - prod3v3loper
got the same problem. being new to node ecosystem, I am getting worried now - if basic, standard script creates an app with so many critical vulnerabilities, what does it tell about the maturity of the tools... - alexakarpov
Oddly enough I happened to have just read this blog post by Dan Abramov on this issue. The gist is that many of these vulnerabilities probably can't affect an application created with Create React App in practice because many of these dependencies are used only in development. - Matthew Daly
@alexakarpov Read overreacted.io/npm-audit-broken-by-design for more details, but it's not a reflection on the maturity of the tools, but of how the implementation of npm audit is problematic. These issues might be a problem if you were using them in the context of a Node.js application where they were deployed to production, but in the context of Create React App they aren't. You only really need to worry about anything flagged by npm audit --production. - Matthew Daly

1 Answers

0
votes

As Matthew Daly has mentioned in the comments following this blog post npm audit: Broken by Design by Dan Abramov, most of or maybe all warnings are related to development dependencies, so they will not affect your production build, and you don't need to worry about fixing them at all.

It doesn't mean that development dependencies' vulnerabilities are harmless in every situation, every package and every version.

In my experience, most of the time there is no way to solve all issues using npm audit and almost always using npm audit --force will make the situation even worse and break your code.

So I ignore these warnings when I'm installing the latest version of a popular, highly maintained package like create-react-app.

Surely Maintainers of libraries like CRA are aware of these warnings and would fix them immediately if they were serious.

Another way to make sure that these warning are harmless is to check the reported issues of the create-react-app or any other library and see what the responses had been.

I highly recommend you reading the mentioned post, npm audit: Broken by Design.