Npm vulnerabilities can't be fixed

Question

I started learning react and created my first app by running:

'npx create-react-app my-app'

After the app was built I got a warning in the terminal that says:

22 vulnerabilities (9 moderate, 13 high)

I tried to fix it by running:

'npm audit fix'

But it returned this:

npm ERR! code ERESOLVE npm ERR! ERESOLVE unable to resolve dependency tree npm ERR! npm ERR! Found: [email protected] npm ERR! node_modules/type-fest npm ERR! type-fest@"^0.21.3" from [email protected] npm ERR! node_modules/ansi-escapes npm ERR! ansi-escapes@"^4.2.1" from @jest/[email protected] npm ERR! node_modules/@jest/core npm ERR! @jest/core@"^26.6.0" from [email protected] npm ERR! node_modules/jest npm ERR! peer jest@"^26.0.0" from [email protected] npm ERR! node_modules/jest-watch-typeahead npm ERR! 1 more (react-scripts) npm ERR! 1 more (jest-cli) npm ERR! ansi-escapes@"^4.3.1" from [email protected] npm ERR! node_modules/jest-watch-typeahead npm ERR! jest-watch-typeahead@"0.6.1" from [email protected] npm ERR! node_modules/react-scripts npm ERR! react-scripts@"4.0.3" from the root project npm ERR! 2 more (jest-watcher, terminal-link) npm ERR! npm ERR! Could not resolve dependency: npm ERR! peerOptional type-fest@"^0.13.1" from @pmmmwh/[email protected] npm ERR! node_modules/@pmmmwh/react-refresh-webpack-plugin npm ERR! @pmmmwh/react-refresh-webpack-plugin@"0.4.3" from [email protected] npm ERR! node_modules/react-scripts npm ERR! react-scripts@"4.0.3" from the root project npm ERR! npm ERR! Fix the upstream dependency conflict, or retry npm ERR! this command with --force, or --legacy-peer-deps npm ERR! to accept an incorrect (and potentially broken) dependency resolution. npm ERR! npm ERR! See /home/azizdragon/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in: npm ERR!
/home/azizdragon/.npm/_logs/2021-06-23T03_09_31_663Z-debug.log

I tried deleting the package-lock.json file and node_modules folder and run:

npm install

But it resulted in the same vulnerabilities, here is the report when I run "npm audit":

browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service - https://npmjs.com/advisories/1747 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils >=6.0.0-next.03604a46 Depends on vulnerable versions of browserslist node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts

css-what <5.0.1 Severity: high Denial of Service - https://npmjs.com/advisories/1754 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/svgo/node_modules/css-what css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/svgo/node_modules/css-select svgo >=1.0.0 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo * Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack >=4.0.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-svgo >=4.0.0-nightly.2020.1.9 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.4 || 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin

glob-parent <5.1.2 Severity: moderate Regular expression denial of service - https://npmjs.com/advisories/1751 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/watchpack-chokidar2/node_modules/glob-parent node_modules/webpack-dev-server/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 3.11.2 Depends on vulnerable versions of chokidar node_modules/webpack-dev-server @pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4 Depends on vulnerable versions of webpack-dev-server node_modules/@pmmmwh/react-refresh-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts

normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/1755 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/normalize-url node_modules/postcss-normalize-url/node_modules/normalize-url
mini-css-extract-plugin 0.6.0 - 1.0.0 Depends on vulnerable versions of normalize-url node_modules/mini-css-extract-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of mini-css-extract-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts postcss-normalize-url <=4.0.1 Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url cssnano-preset-default * Depends on vulnerable versions of postcss-normalize-url Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.4 || 5.0.6 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin

22 vulnerabilities (9 moderate, 13 high)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

Should I use npm audit fix --force? If it helps, I run Linux Mint 18.3 Cinnamon 64-bit Node version: v16.0.0 NPM version: 7.18.1

Thanks in advance.

Answer 1

As Matthew Daly has mentioned in the comments following this blog post npm audit: Broken by Design by Dan Abramov, most of or maybe all warnings are related to development dependencies, so they will not affect your production build, and you don't need to worry about fixing them at all.

It doesn't mean that development dependencies' vulnerabilities are harmless in every situation, every package and every version.

In my experience, most of the time there is no way to resolve all issues using npm audit and almost always using npm audit --force will make the situation even worse and break your app.

So I ignore these warnings when I'm installing the latest version of a popular, highly maintained package like create-react-app.

Surely Maintainers of libraries like CRA are aware of these warnings and would fix them immediately if they were serious.

Another way to make sure that these warning are harmless is to check the reported issues of the create-react-app or any other library and see what the responses had been.

I highly recommend you reading the mentioned article, npm audit: Broken by Design.