Closed
Description
Is this a bug report?
Yes
Did you try recovering your dependencies?
npm 6.0.1
Which terms did you search for in User Guide?
None, see issue description.
Environment
npx: installed 67 in 13.51s
Environment:
OS: Windows 10
Node: 8.11.2
Yarn: Not Found
npm: 6.0.1
Watchman: Not Found
Xcode: N/A
Android Studio: Version 3.0.0.0 AI-171.4443003
ERROR: package.json not found!
Steps to Reproduce
- Open a new cmd.exe / powershell.exe prompt as user or as local administrator.
- Run
npx create-react-app my-app
Expected Behavior
A basic react environment should be created.
Actual Behavior
npm install fails. Full output:
PS > npx create-react-app my-app
npx: installed 67 in 9.444s
Creating a new React app in C:\pathto\my-app.
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...
The system cannot find the path specified.
> uglifyjs-webpack-plugin@0.4.6 postinstall C:\pathto\my-app\node_modules\uglifyjs-webpack-plug
in
> node lib/post_install.js
+ react-dom@16.3.2
+ react@16.3.2
+ react-scripts@1.1.4
added 1321 packages from 811 contributors in 224.148s
[!] 1 vulnerability found [14378 packages audited]
Severity: 1 Critical
Run `npm audit` for more detail
Aborting installation.
npm install --save --save-exact --loglevel error react react-dom react-scripts has failed.
Deleting generated file... node_modules
Deleting generated file... package.json
Done.
Reproducible Demo
Really just any Windows PC with the env. spec. I posted. Node + all NPM / Node folders on the system have been deleted and node re-installed (tested both: node v8.11.2 LTS and node 10 latest (v10.1.0)). Node cache was verified and force cleaned multiple times as well. I still get the same error.
Activity
iansu commentedon May 18, 2018
I believe this is the same vulnerability: #4479. However, Create React App isn't directly affected by that vulnerability.
If
npx
is automatically runningnpm audit
and failing if any vulnerabilities are found then that's going to be a problem for us with npm >= 6.In the meantime, you can use yarn instead of npm by running
yarn create react-app my-app
.omniproc commentedon May 18, 2018
In another environment I have I was able to run the command
npx create-react-app my-app
without any issues. The environment was:I then updated npm to 6.1.0 in that environment. Details:
And now, on this machine, I was NOT getting the error altought using npm 6.x. The output was:
So after checking on multiple systems this issue seems to be related to some system configuration. I just have not found out which one yet.
If you check closely the first output I posted has a line saying "The system cannot find the path specified." in it. I seem to be getting that error whenever I call npm on the affected systems but so far I was unable to find out what's causing this strange behaviour. Could be completely unrelated thought.
I'd be greatful for any ideas where to get more logging information from so I can find out what's actually happening there.
iansu commentedon May 18, 2018
The
npm audit
command was added in npm 6, which is why you’re not seeing the error on the other system with npm 5.6.omniproc commentedon May 18, 2018
@iansu - as I wrote I updated to 6.1.0 on that system and do not get the error anymore. It's not dependent on the npm version. Or atleast not solely.
iansu commentedon May 18, 2018
I missed that detail. I’m not at my computer and must not have read your reply carefully enough. I’m not sure what would be causing that. We’ll have to look into it more.
omniproc commentedon May 19, 2018
Not a problem. I'll let you know when I find out some more details.
pkrawc commentedon May 19, 2018
The problem is in with a vulnerability in create-react-app's
macaddress
dependency. It's got command injection capabilities and could leave apps critically compromised.gaearon commentedon May 19, 2018
That’s not the case for how it’s used by cssnano (which is why you get it in CRA). So CRA apps are definitely not affected by this.
Additionally it’s a build dependency. Even if CRA dev environment was affected by this (which is not the case), “could leave apps compromised” is extremely misleading because this dependency isn’t used at runtime. CRA just gives you a static bundle, there’s no way a build dependency vulnerability could compromise your deployed apps.
gaearon commentedon May 19, 2018
For more details see my reply in #4479 (comment)
bugzpodder commentedon Jun 1, 2018
This looks resolved, postcss-filter-plugins removed uniqid dependency in their latest update and subsequently the audit check passes.
gaearon commentedon Jun 1, 2018
@bugzpodder thanks for the followup!