Security Vulnerabilities After Installing some NPM Packages in ReactJS Project

Question

So, I'm learning to create a react app that uses a CSS framework like materialize and bootstrap. I use 2 different versions of npm to create the react js app. The first one is npm 6 and the second one is npm 9

When I installed materialize or bootstrap using npm 6, there was only 1 security vulnerability appeared, but it was fixed after I ran npm audit fix

But when I use npm 9, 6 security vulnerabilities appeared. To fix that, I try to use npm audit fix and npm audit fix --forces, but there's nothing changed, security vulnerabilities still exist

Here how my terminals look like

Is it because the npm package doesn't suit npm 9? If that's the case, is there a way I can use npm 9 to create react app with materialize or bootstrap as a CSS framework?

Thank you

Answer 1

i hit the same issue on MacBook (MacOS), slightly different from above is

1. after run npm audit fix --force, it should more alert than before 83 vulnerabilities (14 low, 19 moderate, 44 high, 6 critical)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

2. after above command again as suggested npm WARN using --force Recommended protections disabled. npm WARN audit fix [email protected] node_modules/react-scripts/node_modules/fsevents/node_modules/chownr npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/react-scripts/node_modules/fsevents/node_modules/ini npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/react-scripts/node_modules/fsevents/node_modules/minimatch npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/react-scripts/node_modules/fsevents/node_modules/minimist npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/react-scripts/node_modules/fsevents/node_modules/rc/node_modules/minimist npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/react-scripts/node_modules/fsevents/node_modules/tar npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/react-scripts/node_modules/fsevents/node_modules/mkdirp npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/react-scripts/node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit Updating react-scripts to 5.0.1, which is a SemVer major change. npm WARN deprecated [email protected]: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-terser npm WARN deprecated [email protected]: Please use @jridgewell/sourcemap-codec instead

added 410 packages, removed 1182 packages, changed 321 packages, and audited 1399 packages in 57s

235 packages are looking for funding run npm fund for details

npm audit report

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/svgo/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack node_modules/react-scripts

6 high severity vulnerabilities

To address all issues (including breaking changes), run: npm audit fix --force

---

as you observed, it is back to 6 high severity vulnerabilities