Possible duplicate, but couldn't find any clear answers.
Dependabot cannot update nth-check to a non-vulnerable version The latest possible version that can be installed is 1.0.2 because of the following >conflicting dependency:
[email protected] requires nth-check@^1.0.2 via a transitive dependency on [email protected]
just upgraded to [email protected] from 4.0.0.
CodePudding user response:
As Dan Abramov explains in this issue, it is (very likely) a false alarm and can be safely dismissed.
More specifically, if you are using CRA and nth-check is referenced only from it, it is not an issue, because CRA is a build tool and the vulnerable code will never get into the resulting application bundle and thus will never be called by client code.
You can verify this by moving "react-scripts" into "devDependencies" in package.json
and running npm audit --production
.