Hi everybody. I'm new. I don't know if this is the rigth place to ask for help. I'm practising with REACt. I have updated node in my machine and I executed the code "npx create-react-app my-app" to start working with react. The app was installed but, in the process there was a messagge about vulnerabilities found. I don't know if this has to do with the package or what. What can I do? Thanks in advance.
Regards :)
Top comments (7)
Hmm probably need to update npm to latest version and re-run.
You could also run
npm auditto understand more about the vulnerabilities.Thanks Sagar. I run the comand but it gives me error. It says "This command requires an existing lockfile. How is the process of updating and rerunning npm ? Thanks again in advance.
Regards :)
Ah my bad. Create react app is probably using
yarn. We'll have to find a similar audit command foryarn. (I think thereyarn auditfor it)Also if this is a personal project, you could ignore these vulnerabilities. It's good to resolve this if you are using this code on production. Otherwise it should be okay to ignore.
Generally at bigger companies they subscribe to some automated tools that finds and fixes these vulnerabilities automatically for you.
Hi again Sagar. Well I'm not happy with the reply. It is true that it is a personal project since I'm learning, but I think it is not a good practise to ignore vulnerabilities. I've searched the web and there is a lot of vulnerabilities reported regarding this package. So, it is not my node, it is not my npm. I have the last version of both. But at the time the package is getting installed the terminal shows a lot of deprecated dependencies.
I know it is not your responsibility, but I think I must report this to the people in charge of this package so that they could fix the problem. Where could I find them?
At the same time I would like to know if there would be another way to work with REACT in my machine without this package. Thanks in advance.
Regards:)
Fair point Amapola! Generally, you can raise this on the Github repository's issues. I did a quick search in
create-react-app's issues and found a similar issue reported already. We could follow the conversation there.Hi again Sagar. Thanks for your reply. I executed again 'npm audit' in my folder and again it gave me erros, and told me that "the command required a lockfile". Then I introduced 'npm i --package-lock-only'. Again new errors, but I typed 'npm audit' and eventually the terminal sowed '0 vulnerabilities'. So I don't understand why npm detects vulnerabilities that don't exist. Thank you very much for your help.
Regards :)
Probably
create-react-appusesyarninstead ofnpm. Soyarn auditmight have worked. But under the hoodyarnandnpmdo similar things — package management.That's strange, not sure what is happening here.
No problem 🙂