vulnerability when install react-scripts

Question

When I install react-scripts I get 58 vulnerabilities (16 moderate, 40 high, 2 critical)

My setup is :

• Linux Debian 10
• Nodejs v14.18.1
• Npm 8.1.0
• react 17.0.2
• react-scripts 4.0.3

deprecated packages :

• [email protected],
• @hapi/[email protected],
• @hapi/[email protected],
• [email protected],
• [email protected],
• [email protected]
• [email protected],
• [email protected],
• [email protected],
• [email protected]
• hapi/[email protected],
• [email protected],
• [email protected]
• hapi/[email protected],
• [email protected],
• [email protected]

Please help!

Answer 1

If you are installing the latest version of react-scripts, it is very unlikely to be a problem.

You should consider moving react-scripts from dependencies to devDependencies in your package, if it is not there already and run npm audit --production instead of npm audit. Basically, having "vulnerabilities" in dev dependencies is most likely not an issue as they cannot be exploited.

This issue on the create-react-app repository explains it in details: https://github.com/facebook/create-react-app/issues/11174

And this article from the same author explains the problem with npm audit in a more general context: https://overreacted.io/npm-audit-broken-by-design/