Running 'npm audit fix --force' downgrades react-scripts

Question

I have a huge problem with my project in React.
I'm trying to update the libraries on my project, but something goes wrong.

This is the package.json. Note that the react-scripts version is set to "^4.0.3".

{
  "name": "server",
  "version": "1.1.0",
  "description": "",
  "main": "index.js",
  "engines": {
    "node": "v14.16.0",
    "npm": ">=7.6.0"
  },
  "scripts": {
    "start": "node index.js",
    "server": "nodemon index.js",
    "client": "npm run start --prefix client",
    "dev": "concurrently \"npm run server\" \"npm run client\"",
    "heroku-postbuild": "NPM_CONFIG_PRODUCTION=false npm install --prefix client && npm run build --prefix client"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "body-parser": "^1.19.0",
    "concurrently": "^5.3.0",
    "cookie-parser": "^1.4.5",
    "cookie-session": "^1.4.0",
    "cors": "^2.8.5",
    "express": "^4.17.1",
    "express-socket.io-session": "^1.3.5",
    "heroku-ssl-redirect": "0.0.4",
    "lodash": "^4.17.21",
    "moment": "^2.29.1",
    "moment-timezone": "^0.5.33",
    "mongodb": "^3.6.4",
    "mongoose": "^5.11.17",
    "nodemailer": "^6.4.18",
    "nodemon": "^2.0.7",
    "passport": "^0.4.1",
    "passport-google-oauth20": "^2.0.0",
    "path-parser": "^6.1.0",
    "react-scripts": "^4.0.3",
    "sendgrid": "^5.2.3",
    "socket.io": "^3.1.1",
    "stripe": "^8.137.0"
  }
}

And below is the response after running npm audit fix --force, which downgrades the react-scripts package to 1.1.5. This causes even more vulnerabilities.
I have no idea how to solve this. I already tried cleaning the npm cache, removing the node_modules folder, and removing the package-lock.json.

# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist
  node_modules/react-dev-utils
    react-scripts  1.0.7-alpha.60ae2b6d || >=1.0.8
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of css-loader
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

dns-packet  <5.2.2
Severity: high
Memory Exposure - https://npmjs.com/advisories/1745
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dns-packet
  multicast-dns  6.0.0 - 7.2.2
  Depends on vulnerable versions of dns-packet
  node_modules/multicast-dns
    bonjour  >=3.3.1
    Depends on vulnerable versions of multicast-dns
    node_modules/bonjour
      webpack-dev-server  >=2.5.0
      Depends on vulnerable versions of bonjour
      node_modules/webpack-dev-server
        @pmmmwh/react-refresh-webpack-plugin  >=0.3.1
        Depends on vulnerable versions of webpack-dev-server
        node_modules/@pmmmwh/react-refresh-webpack-plugin
          react-scripts  1.0.7-alpha.60ae2b6d || >=1.0.8
          Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
          Depends on vulnerable versions of css-loader
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of resolve-url-loader
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts

postcss  7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
  autoprefixer  9.0.0 - 9.8.6
  Depends on vulnerable versions of postcss
  node_modules/autoprefixer
  css-blank-pseudo  *
  Depends on vulnerable versions of postcss
  node_modules/css-blank-pseudo
    postcss-preset-env  >=6.0.0
    Depends on vulnerable versions of css-blank-pseudo
    Depends on vulnerable versions of css-prefers-color-scheme
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-color-gray
    Depends on vulnerable versions of postcss-double-position-gradients
    node_modules/postcss-preset-env
  css-declaration-sorter  4.0.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/css-declaration-sorter
  css-has-pseudo  *
  Depends on vulnerable versions of postcss
  node_modules/css-has-pseudo
  css-loader  2.0.0 - 4.3.0
  Depends on vulnerable versions of postcss
  node_modules/css-loader
    react-scripts  1.0.7-alpha.60ae2b6d || >=1.0.8
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of css-loader
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts
  css-prefers-color-scheme  *
  Depends on vulnerable versions of postcss
  node_modules/css-prefers-color-scheme
  cssnano  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
  Depends on vulnerable versions of postcss
  node_modules/cssnano
    optimize-css-assets-webpack-plugin  3.2.1 || 5.0.2 - 5.0.6
    Depends on vulnerable versions of cssnano
    node_modules/optimize-css-assets-webpack-plugin
  cssnano-preset-default  <=4.0.0-rc.2 || 4.0.1 - 4.0.8
  Depends on vulnerable versions of cssnano-util-raw-cache
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-reduce-initial
  node_modules/cssnano-preset-default
  cssnano-util-raw-cache  >=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/cssnano-util-raw-cache
  icss-utils  4.0.0 - 4.1.1
  Depends on vulnerable versions of postcss
  node_modules/icss-utils
    postcss-modules-local-by-default  2.0.0 - 4.0.0-rc.4
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-local-by-default
    postcss-modules-values  2.0.0 - 4.0.0-rc.5
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-values
  postcss-attribute-case-insensitive  4.0.0 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-attribute-case-insensitive
  postcss-browser-comments  2.0.0 - 3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-browser-comments
    postcss-normalize  7.0.0 - 9.0.0
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-browser-comments
    node_modules/postcss-normalize
  postcss-calc  6.0.2 - 7.0.5
  Depends on vulnerable versions of postcss
  node_modules/postcss-calc
  postcss-color-functional-notation  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-functional-notation
  postcss-color-gray  >=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-gray
  postcss-color-hex-alpha  4.0.0 - 6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-hex-alpha
  postcss-color-mod-function  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-mod-function
  postcss-color-rebeccapurple  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-rebeccapurple
  postcss-colormin  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-colormin
  postcss-convert-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-convert-values
  postcss-custom-media  7.0.0 - 7.0.8
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-media
  postcss-custom-properties  8.0.0 - 10.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-properties
  postcss-custom-selectors  5.0.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-selectors
  postcss-dir-pseudo-class  >=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-dir-pseudo-class
  postcss-discard-comments  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-comments
  postcss-discard-duplicates  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-duplicates
  postcss-discard-empty  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-empty
  postcss-discard-overridden  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-overridden
  postcss-double-position-gradients  *
  Depends on vulnerable versions of postcss
  node_modules/postcss-double-position-gradients
  postcss-env-function  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-env-function
  postcss-flexbugs-fixes  4.0.0 - 4.2.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-flexbugs-fixes
  postcss-focus-visible  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-focus-visible
  postcss-focus-within  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-focus-within
  postcss-font-variant  4.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-font-variant
  postcss-gap-properties  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-gap-properties
  postcss-image-set-function  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-image-set-function
  postcss-initial  3.0.0 - 3.0.4
  Depends on vulnerable versions of postcss
  node_modules/postcss-initial
  postcss-lab-function  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-lab-function
  postcss-loader  3.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-loader
  postcss-logical  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-logical
  postcss-media-minmax  4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-media-minmax
  postcss-merge-longhand  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-longhand
  postcss-merge-rules  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-rules
  postcss-minify-font-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-font-values
  postcss-minify-gradients  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-gradients
  postcss-minify-params  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-params
  postcss-minify-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-selectors
  postcss-modules-extract-imports  2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-extract-imports
  postcss-modules-scope  2.0.0 - 2.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope
  postcss-nesting  7.0.0 - 7.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-nesting
  postcss-normalize-charset  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-charset
  postcss-normalize-display-values  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-display-values
  postcss-normalize-positions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-positions
  postcss-normalize-repeat-style  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-repeat-style
  postcss-normalize-string  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-string
  postcss-normalize-timing-functions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-timing-functions
  postcss-normalize-unicode  <=4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-unicode
  postcss-normalize-url  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-url
  postcss-normalize-whitespace  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-whitespace
  postcss-ordered-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-ordered-values
  postcss-overflow-shorthand  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-overflow-shorthand
  postcss-page-break  2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-page-break
  postcss-place  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-place
  postcss-pseudo-class-any-link  >=6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-pseudo-class-any-link
  postcss-reduce-initial  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-initial
  postcss-reduce-transforms  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-transforms
  postcss-replace-overflow-wrap  3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-replace-overflow-wrap
  postcss-selector-matches  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-selector-matches
  postcss-selector-not  4.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-selector-not
  postcss-svgo  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-svgo
  postcss-unique-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-unique-selectors
  resolve-url-loader  3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader
  stylehacks  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/stylehacks

87 vulnerabilities (81 moderate, 6 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Answer 1

A few developers are now slowly getting this hopefully temporary problem when they update their projects.

For example: https://github.com/facebook/create-react-app/issues/11012

Recommendation is to leave this on the todo list, and wait a few days while the package developers fix this (at least for the packages that already have been notified)

Then run audit fix again

In the meantime, one error in particular the 'high' severity one...

dns-packet  <5.2.2
Severity: high
Memory Exposure - https://npmjs.com/advisories/1745

https://npmjs.com/advisories/1745

Would be an problem if the react-application is running in dev mode on a public network e.g. running a server in dev mode on heroku via npm run start to the whole world (a BAD idea, consider searching how to deploy in react application in production mode, there are a few methods).

If you are @home, on a local network, you should be ok.

If you are on public wifi - just don't for now

Answer 2

One of the create-react-app maintainers has announced that they cannot fix this as the vulnerabilities affect transitive dependencies, and that it should not matter.

The reasoning is that the npm audit feature was built with Node apps in mind, not build tools. Vulnerabilities in the dependencies should (in most cases) not translate to vulnerabilities in the static web app produced by create-react-app.

A possible workaround is to move react-scripts to the devDependencies section in your package.json and use npm audit --production to audit your dependencies.

Source: https://github.com/facebook/create-react-app/issues/11174

Answer 3

0. Reproducing your findings

Thanks for including the package.json in your question!
By doing that, anyone can reproduce your findings.

I ran npm install npm@latest -g, and then npm --version, which responded 9.6.4.

In an empty directory, I added your package.json, then ran npm install, then npm audit.

The response was 34 vulnerabilities (1 low, 4 moderate, 20 high, 9 critical).

In the resulting NPM audit security report, ¹
the packages ejs, immer, loader-utils, and shell-quote have critical vulnerabilities.

The packages ansi-html, glob-parent, minimatch, node-forge, and nth-check are reported to have high vulnerabilities.

The packages browserslist, engine.io, and passport, have moderate vulnerabilities.

Here is a screenshot of a part of the audit report, displaying a few of the mentioned vulnerabilities.

1. How to fix all your vulnerabilities

The reason vulnerabilities are reported is that some packages are too old to have been corrected.
Take the package ejs as an example. The package.json does not directly depend on ejs.
The dependency is indirect, which means that ejs occurs somewhere deeper in the dependency tree. To find out where exactly, I ran npm ls ejs :

$ npm ls ejs
[email protected] …
`-- [email protected]
  `-- [email protected]
    `-- [email protected]
      `-- @surma/[email protected]
        `-- [email protected]

The remedy is to force the use of a newer version of ejs.
To find the latest version of ejs, I ran npm view ejs | grep latest : ²

$ npm view ejs | grep latest
latest: 3.1.9

By repeating this for all the above-mentioned packages that were found to be vulnerable, the latest version of each such package may be found.

In December 2021, the Node package manager introduced the overrides clause.

The overrides functionality is designed to do exactly what I want. In short, insert the following chunk of code right after the second-last closing curly brace in package.json :

,
  "overrides": {
    "ejs": "^3.1.9",
    "immer": "^9.0.21",
    "loader-utils": "^3.2.1",
    "shell-quote": "^1.8.0",
    "ansi-html": "^0.0.9",
    "glob-parent": "^6.0.2",
    "minimatch": "^8.0.2",
    "node-forge": "^1.3.1",
    "nth-check": "^2.1.1",
    "browserslist": "^4.21.5",
    "engine.io": "^6.4.1",
    "passport": "^0.6.0"
  }

When I did that, and then ran npm install, I got an EOVERRIDE error :

$ npm install
npm ERR! code EOVERRIDE
npm ERR! Override for passport@^0.4.1 conflicts with direct dependency

The error message tells what the problem is – there is a direct dependency on passport@^0.4.1.
At the same time, I'm asking npm to override the package passport with version ^0.6.0.
This is not allowed.

The solution is to do the versioning by reference: "passport": "$passport".
But the version in "passport": "^0.4.1" can not be tolerated
– it needs to be upgraded to "passport": "^0.6.0. ³

When I now ran npm install, I got the wanted message: found 0 vulnerabilities.

2. Reasons to refrain from the --force flag

First of all, a plain npm audit command (without fix) neither affects package.json, nor package-lock.json (the lock file).

Secondly, npm audit fix (without the --force flag) also does not affect package.json.
However, It does modify package-lock.json.
Running npm audit fix a second time does not alter package-lock.json again.

All of the above is radically different once you add the --force flag.
In general, npm audit fix --force will modify both package.json and package-lock.json.
This is because that command will always try to fix things – as long as there are vulnerabilities.

The first time I run npm audit fix --force on your package.json, three packages are upgraded :
passport from ^0.4.1 to ^0.6.0, react-scripts from ^4.0.3 to ^5.0.1,
and socket.io from ^3.1.1 to ^4.6.1. ⁴

By contrast, the second time I run npm audit fix --force, the react-scripts package is downgraded from ^5.0.1 to ^2.1.3. This, of course, is exactly what you reported.
The reason – as explained in this answer – is that the second time npm audit fix --force runs, the package manager detects that there are vulnerabilities. And to fix those vulnerabilities – since the latest version of react-scripts (5.0.1) is already installed – it downgrades in an attempt to adjust to other packages potentially being older.

I think it would make more sense if the --force flag would never downgrade, but the designers of NPM apparently think differently.

To get back to version ^5.0.1 of react-scripts, you can run npm audit fix --force a third time. – Or – you can refrain from ever using --force in the first place.

If you still decide to use --force, at least do yourself the favor of saving a copy of package.json, as there is no way to get it back once you've applied the --force flag.

3. Some more thoughts on your package.json

3. a. Exact version of Node.js?

I noticed that in your package.json, you set the version of Node.js to be exactly 14.16.0.
I haven't seen this before, but maybe you have a good reason to do so?
Your package.json works fine on my current version, 18.14.2.
But I do get a warning saying Unsupported engine – every time I run npm install.

3. b. Caret in the versioning of react-scripts

I noticed that you've set the version of react-scripts as "^4.0.3".
This is not recommended by the author of the package, who states :
It is pretty risky to use carets at the react-scripts level because it's an integration package.

3. c. Many direct dependencies are also indirect dependencies

I noticed that many of the direct dependencies in your package.json are already included in the dependency tree as indirect dependencies. I think it is better not to do this.

One such example is the body-parser package :

$ npm ls body-parser
[email protected] …
+-- [email protected]
`-- [email protected]
  `-- [email protected]

Since body-parser is already in the dependency tree (via express), you might as well remove it from package.json – as a direct dependency.

Other direct dependencies, that are already included indirectly, are cookie-parser, cors, express, lodash, moment, and mongodb.

3. d. A proposed package.json

After incorporating the changes I've hinted about in the preceding subsections, here is a suggestion for an adjusted package.json.

{
  "name": "server",
  "version": "1.1.0",
  "description": "",
  "main": "index.js",
  "engines": {
    "npm": ">=7.6.0"
  },
  "scripts": {
    "start": "node index.js",
    "server": "nodemon index.js",
    "client": "npm run start --prefix client",
    "dev": "concurrently \"npm run server\" \"npm run client\"",
    "heroku-postbuild": "NPM_CONFIG_PRODUCTION=false npm install --prefix client && npm run build --prefix client"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "concurrently": "^5.3.0",
    "cookie-session": "^1.4.0",
    "express-socket.io-session": "^1.3.5",
    "heroku-ssl-redirect": "0.0.4",
    "moment-timezone": "^0.5.33",
    "mongoose": "^5.11.17",
    "nodemailer": "^6.4.18",
    "nodemon": "^2.0.7",
    "passport": "^0.6.0",
    "passport-google-oauth20": "^2.0.0",
    "path-parser": "^6.1.0",
    "react-scripts": "4.0.3",
    "sendgrid": "^5.2.3",
    "socket.io": "^3.1.1",
    "stripe": "^8.137.0"
  },
  "overrides": {
    "ejs": "^3.1.9",
    "immer": "^9.0.21",
    "loader-utils": "^3.2.1",
    "shell-quote": "^1.8.0",
    "ansi-html": "^0.0.9",
    "glob-parent": "^6.0.2",
    "minimatch": "^8.0.2",
    "node-forge": "^1.3.1",
    "nth-check": "^2.1.1",
    "browserslist": "^4.21.5",
    "engine.io": "^6.4.1"
  }
}

References

• How to create a Minimal, Reproducible Example
• Auditing package dependencies for security vulnerabilities
• NPM audit security report
• The overrides functionality was introduced in npm v8.3.0.
• The overrides version specification must match exactly
• Recommended: define the override version as a reference
• Version history of react-scripts
• npm audit fix --force may end up in a cycling loop
• An introduction to the NPM package manager
• It's pretty risky to use carets for react-scripts

---

¹ As may be noted, the vulnerabilities in your audit report are vastly different from the ones in mine. This is to be expected as your NPM version is 7.6.0, whereas mine is 9.6.4. Even more important is probably the 22 months time that has passed since you posted your question. This has given time to discover a lot more vulnerabilities.

² On Windows, you can leave out the last part, and just run npm view ejs.

³ In this case, the passport package might as well be removed from the overrides clause altogether. Why?
– Because there are no indirect dependencies on passport. Running npm ls passport reveals that the direct dependency on passport is the only dependency. Thus, merely updating the passport version to ^0.6.0 is sufficient.

⁴ It makes perfect sense that it downgraded when you asked the question, but upgrades now that I try to replicate.
– At the time when you asked the question, version 4.0.3 was presumably the latest version, but now when I run npm audit fix --force, it upgrades from the now old version 4.0.3 to the now latest version 5.0.1.