When I enter npm install
in the relevant react project folder, it gives back this error after installing node modules
27 vulnerabilities (16 moderate, 9 high, 2 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
and npm audit fix --force
gives this output =>
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating react-scripts to 0.9.5,which is a SemVer major change.
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: This loader has been deprecated. Please use eslint-webpack-plugin
npm WARN deprecated [email protected]: Deprecated. Please use https://github.com/webpack-contrib/mini-css-extract-plugin
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated [email protected]: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated [email protected]: Chokidar 2 will break on node v14 . Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated [email protected]: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated [email protected]: out of support
npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated [email protected]: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
added 395 packages, removed 1253 packages, changed 287 packages, and audited 1099 packages in 3m
22 packages are looking for funding
run `npm fund` for details
# npm audit report
ansi-html *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ansi-html
react-dev-utils 0.2.0 - 11.0.3
Depends on vulnerable versions of ansi-html
node_modules/react-dev-utils
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
braces <2.3.1
Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
watchpack 0.2.2 - 1.6.1
Depends on vulnerable versions of chokidar
node_modules/watchpack
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/http-proxy-middleware
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-resolve 18.1.0 - 19.0.2
Depends on vulnerable versions of jest-haste-map
node_modules/jest-resolve
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-config 18.1.0 - 19.0.4
Depends on vulnerable versions of jest-resolve
node_modules/jest-config
jest-resolve-dependencies 18.1.0
Depends on vulnerable versions of jest-resolve
node_modules/jest-resolve-dependencies
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
color-string <1.5.5
Severity: moderate
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-257v-vj4p-3w2h
fix available via `npm audit fix`
node_modules/color-string
color <=0.11.4
Depends on vulnerable versions of color-string
node_modules/color
colormin *
Depends on vulnerable versions of color
node_modules/colormin
postcss-colormin <=2.2.2
Depends on vulnerable versions of colormin
node_modules/postcss-colormin
cssnano <=3.10.0
Depends on vulnerable versions of postcss-colormin
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
debug <2.6.9
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/eslint-module-utils/node_modules/debug
eslint-module-utils 1.0.0-beta.0 - 2.0.0
Depends on vulnerable versions of debug
node_modules/eslint-module-utils
eslint-plugin-import 2.0.0-beta.0 - 2.1.0
Depends on vulnerable versions of eslint-module-utils
node_modules/eslint-plugin-import
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
watchpack 0.2.2 - 1.6.1
Depends on vulnerable versions of chokidar
node_modules/watchpack
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
http-proxy-middleware 0.3.0 - 0.17.4
Depends on vulnerable versions of micromatch
node_modules/http-proxy-middleware
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-resolve 18.1.0 - 19.0.2
Depends on vulnerable versions of jest-haste-map
node_modules/jest-resolve
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-config 18.1.0 - 19.0.4
Depends on vulnerable versions of jest-resolve
node_modules/jest-config
jest-resolve-dependencies 18.1.0
Depends on vulnerable versions of jest-resolve
node_modules/jest-resolve-dependencies
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
is-svg 2.1.0 - 4.2.1
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-7r28-3m3f-r2pr
fix available via `npm audit fix`
node_modules/is-svg
js-yaml <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix`
node_modules/svgo/node_modules/js-yaml
svgo 0.4.2 - 1.0.5
Depends on vulnerable versions of js-yaml
node_modules/svgo
postcss-svgo <=2.1.6
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano <=3.10.0
Depends on vulnerable versions of postcss-colormin
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano
merge <2.1.1
Severity: high
Prototype Pollution in merge - https://github.com/advisories/GHSA-7wpw-2hjm-89gp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/merge
exec-sh <=0.3.1
Depends on vulnerable versions of merge
node_modules/exec-sh
sane 1.0.4 - 4.0.1
Depends on vulnerable versions of exec-sh
node_modules/sane
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-resolve 18.1.0 - 19.0.2
Depends on vulnerable versions of jest-haste-map
node_modules/jest-resolve
jest-config 18.1.0 - 19.0.4
Depends on vulnerable versions of jest-resolve
node_modules/jest-config
jest-resolve-dependencies 18.1.0
Depends on vulnerable versions of jest-resolve
node_modules/jest-resolve-dependencies
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
mime <1.4.1
Severity: moderate
Regular Expression Denial of Service in mime - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/mime
url-loader 0.5.5 - 0.5.9
Depends on vulnerable versions of mime
node_modules/url-loader
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
minimist <0.2.1
Severity: moderate
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/optimist/node_modules/minimist
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/optimist
webpack 0.11.0-beta1 - 2.0.2-beta
Depends on vulnerable versions of optimist
node_modules/webpack
extract-text-webpack-plugin <=1.0.1
Depends on vulnerable versions of webpack
node_modules/extract-text-webpack-plugin
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
node-notifier <8.0.1
Severity: moderate
OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-notifier
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
open <6.0.0
Severity: critical
Command Injection in open - https://github.com/advisories/GHSA-28xh-wpgr-7fm8
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/open
webpack-dev-server <=3.1.10
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
node_modules/webpack-dev-server
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
react-dev-utils 0.2.0 - 11.0.3
Severity: high
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of ansi-html
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/react-dev-utils
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
webpack-dev-server <=3.1.10
Severity: critical
Missing Origin Validation in webpack-dev-server - https://github.com/advisories/GHSA-cf66-xwfp-gvc4
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of open
Depends on vulnerable versions of optimist
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/webpack-dev-server
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
yargs-parser <=5.0.0
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
Depends on vulnerable versions of yargs-parser
node_modules/yargs
jest-cli 0.5.5 - 24.1.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of sane
Depends on vulnerable versions of yargs
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
react-scripts 0.1.0 - 4.0.0-next.117
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of http-proxy-middleware
Depends on vulnerable versions of jest
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
jest-runtime 12.1.1-alpha.2935e14d - 24.0.0-alpha.16
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-resolve
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
48 vulnerabilities (12 low, 18 moderate, 16 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
This used to work well before few weeks and I even cleared the npm cache but the issue still exists. Please help me on this issue. Thank you
CodePudding user response:
I had the same problem with literally the exact same number of vulnerabilities.
Check out the solution here