You are not logged in.

#1 2021-05-11 19:09:12

abott
Member
Registered: 2021-05-09
Posts: 8

Why there are multiple vulnerabilities in create-react-app?

I don't if i can ask this question here or not but anyways,

I installed node couple days back and then installed create-react-app and after installation it showed 0 vulnerabilities.

But i tried it again now and after installation create-react-app is showing 80 vulnerabilities.

I would like to know if it arch specific or not?

I've updated the system, but it is still showing 80 vulnerabilities.

Offline

#2 2021-05-11 20:42:24

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 4,069

Re: Why there are multiple vulnerabilities in create-react-app?

Because create-react-app is javascript, and javascript is a disastrous heaping pile of vulnerabilities everywhere and everywhen.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#3 2021-05-12 19:18:12

abott
Member
Registered: 2021-05-09
Posts: 8

Re: Why there are multiple vulnerabilities in create-react-app?

Haha, actually i am not surprised by the npm showing 80 vulnerabilities but was surprised when after a fresh arch install i created an app via create-react-app and it showed 0 vulnerabilities. So i was wondering is it possible? If yes How?

Offline

#4 2021-05-12 19:26:47

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 4,069

Re: Why there are multiple vulnerabilities in create-react-app?

It probably just means the vulnerabilities were recently discovered (since the time it told you 0 vulnerabilities), and you may be able to get rid of them by completely removing node_modules and reinstalling create-react-app with npm.

Updating the system won't do much here, sadly, because the nodejs ecosystem doesn't really interact with the system. So every javascript dependency is vendored into create-react-app and you need to rebuild it from scratch to get updated versions of said dependencies.

You could also try running "npm audit fix" which will try to find updates for just the vulnerable javascript modules, and run "npm install" behind the scenes to fix them.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

Board footer

Powered by FluxBB