Vulnerabilities found after using npx create-react-app

[prathameshjchavan]

npm audit report

browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts

css-what <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/svgo/node_modules/css-what
css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/svgo/node_modules/css-select
svgo >=1.0.0
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo *
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack >=4.0.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss-svgo >=4.0.0-nightly.2020.1.9
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default *
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.6
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin

glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/webpack-dev-server
@pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4
Depends on vulnerable versions of webpack-dev-server
node_modules/@pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts

normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/normalize-url
node_modules/postcss-normalize-url/node_modules/normalize-url
mini-css-extract-plugin 0.6.0 - 1.0.0
Depends on vulnerable versions of normalize-url
node_modules/mini-css-extract-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss-normalize-url <=4.0.1
Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url
cssnano-preset-default *
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.6
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin

22 vulnerabilities (9 moderate, 13 high)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

[joaoguidev]

Same issue here.

I updated my Nodejs to 16.3.0 with no effect.

Still getting those same 22 vulnerabilities (9 moderate, 13 high)

[krailler]

Here another with the same issue 🙋‍♂️

Using Node 16 with npm 7

[AnthoVDO]

Exactly the same

[Rugz007]

Same issue

[JayMacpherson]

Also same issue. Using latest LTS Node

[ako-v]

Same issue here

[crazypixel]

Same here

[thebytehoarder]

Same issue here too

[vincevalenz]

same

[ngamanning]

Same issue here. There are only 87 of vulnerabilities reported :D

[aquacalc]

7 vulnerabilities, of which 4 high: 2 each in script packages css-what and normalize-url

node 14.13.0
npm 6.14.8

[wattanx]

Same issue here too

[mf0sse]

Same here...

[rhalaly]

These vulnerabilities have been around for a long time. Is there any plan to fix them??