Skip to content

Running "npx create-react-app my-app" fails caused by found vulnerability #4487

Closed
@omniproc

Description

@omniproc

Is this a bug report?

Yes

Did you try recovering your dependencies?

npm 6.0.1

Which terms did you search for in User Guide?

None, see issue description.

Environment

npx: installed 67 in 13.51s

Environment:
OS: Windows 10
Node: 8.11.2
Yarn: Not Found
npm: 6.0.1
Watchman: Not Found
Xcode: N/A
Android Studio: Version 3.0.0.0 AI-171.4443003

ERROR: package.json not found!

Steps to Reproduce

  1. Open a new cmd.exe / powershell.exe prompt as user or as local administrator.
  2. Run npx create-react-app my-app

Expected Behavior

A basic react environment should be created.

Actual Behavior

npm install fails. Full output:

PS > npx create-react-app my-app
npx: installed 67 in 9.444s

Creating a new React app in C:\pathto\my-app.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...

The system cannot find the path specified.

> uglifyjs-webpack-plugin@0.4.6 postinstall C:\pathto\my-app\node_modules\uglifyjs-webpack-plug
in
> node lib/post_install.js

+ react-dom@16.3.2
+ react@16.3.2
+ react-scripts@1.1.4
added 1321 packages from 811 contributors in 224.148s
[!] 1 vulnerability found [14378 packages audited]
    Severity: 1 Critical
    Run `npm audit` for more detail


Aborting installation.
  npm install --save --save-exact --loglevel error react react-dom react-scripts has failed.

Deleting generated file... node_modules
Deleting generated file... package.json
Done.

Reproducible Demo

Really just any Windows PC with the env. spec. I posted. Node + all NPM / Node folders on the system have been deleted and node re-installed (tested both: node v8.11.2 LTS and node 10 latest (v10.1.0)). Node cache was verified and force cleaned multiple times as well. I still get the same error.

Activity

iansu

iansu commented on May 18, 2018

@iansu
Contributor

I believe this is the same vulnerability: #4479. However, Create React App isn't directly affected by that vulnerability.

If npx is automatically running npm audit and failing if any vulnerabilities are found then that's going to be a problem for us with npm >= 6.

In the meantime, you can use yarn instead of npm by running yarn create react-app my-app.

omniproc

omniproc commented on May 18, 2018

@omniproc
Author

In another environment I have I was able to run the command npx create-react-app my-app without any issues. The environment was:

Environment:
  OS:  Windows 10
  Node:  10.0.0
  Yarn:  Not Found
  npm:  5.6.0
  Watchman:  Not Found
  Xcode:  N/A
  Android Studio:  Version  3.0.0.0 AI-171.4443003

I then updated npm to 6.1.0 in that environment. Details:

Environment:
  OS:  Windows 10
  Node:  10.1.0
  Yarn:  Not Found
  npm:  6.1.0-next.0
  Watchman:  Not Found
  Xcode:  N/A
  Android Studio:  Not Found

And now, on this machine, I was NOT getting the error altought using npm 6.x. The output was:

npx: installed 1 in 1.872s
command not found: prefix
npx: installed 67 in 7.108s

Creating a new React app in C:\pathto\my-app.

Installing packages. This might take a couple of minutes.
(node:11624) ExperimentalWarning: The fs.promises API is experimental
Installing react, react-dom, and react-scripts...


> uglifyjs-webpack-plugin@0.4.6 postinstall C:\pathto\my-app\node_modules\uglifyjs-webpack-plugin
> node lib/post_install.js

+ react-dom@16.3.2
+ react@16.3.2
+ react-scripts@1.1.4
added 1321 packages from 811 contributors and audited 14378 packages in 146.71s
found 1 critical severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Success! Created my-app at C:\pathto\my-app
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd my-app
  npm start

Happy hacking!

So after checking on multiple systems this issue seems to be related to some system configuration. I just have not found out which one yet.

If you check closely the first output I posted has a line saying "The system cannot find the path specified." in it. I seem to be getting that error whenever I call npm on the affected systems but so far I was unable to find out what's causing this strange behaviour. Could be completely unrelated thought.

I'd be greatful for any ideas where to get more logging information from so I can find out what's actually happening there.

iansu

iansu commented on May 18, 2018

@iansu
Contributor

The npm audit command was added in npm 6, which is why you’re not seeing the error on the other system with npm 5.6.

omniproc

omniproc commented on May 18, 2018

@omniproc
Author

@iansu - as I wrote I updated to 6.1.0 on that system and do not get the error anymore. It's not dependent on the npm version. Or atleast not solely.

iansu

iansu commented on May 18, 2018

@iansu
Contributor

I missed that detail. I’m not at my computer and must not have read your reply carefully enough. I’m not sure what would be causing that. We’ll have to look into it more.

omniproc

omniproc commented on May 19, 2018

@omniproc
Author

Not a problem. I'll let you know when I find out some more details.

pkrawc

pkrawc commented on May 19, 2018

@pkrawc

The problem is in with a vulnerability in create-react-app's macaddress dependency. It's got command injection capabilities and could leave apps critically compromised.

gaearon

gaearon commented on May 19, 2018

@gaearon
Contributor

That’s not the case for how it’s used by cssnano (which is why you get it in CRA). So CRA apps are definitely not affected by this.

Additionally it’s a build dependency. Even if CRA dev environment was affected by this (which is not the case), “could leave apps compromised” is extremely misleading because this dependency isn’t used at runtime. CRA just gives you a static bundle, there’s no way a build dependency vulnerability could compromise your deployed apps.

gaearon

gaearon commented on May 19, 2018

@gaearon
Contributor

For more details see my reply in #4479 (comment)

bugzpodder

bugzpodder commented on Jun 1, 2018

@bugzpodder

This looks resolved, postcss-filter-plugins removed uniqid dependency in their latest update and subsequently the audit check passes.

gaearon

gaearon commented on Jun 1, 2018

@gaearon
Contributor

@bugzpodder thanks for the followup!

locked and limited conversation to collaborators on Jan 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @iansu@gaearon@omniproc@pkrawc@bugzpodder

        Issue actions

          Running "npx create-react-app my-app" fails caused by found vulnerability · Issue #4487 · facebook/create-react-app