Every time I create a react app with npx create-react-app <AppName>, I get:

96 vulnerabilities found - Packages audited: 1682
Severity: 65 Moderate | 30 High | 1 Critical
Node Version: v14.18.1
Npm: 7.20.5
React: ^17.0.2

When I use npm audit fix OR npm audit fix --force, these are the results:

68 vulnerabilities (21 moderate, 45 high, 2 critical)
47 vulnerabilities (12 low, 18 moderate, 15 high, 2 critical)
58 vulnerabilities (16 moderate, 40 high, 2 critical)
48 vulnerabilities (12 low, 18 moderate, 16 high, 2 critical)
58 vulnerabilities (16 moderate, 40 high, 2 critical)

Here is the audit detail: Text File Link What I'm doing wrong?

Every time I create a react app with npx create-react-app <AppName>, I get:

96 vulnerabilities found - Packages audited: 1682
Severity: 65 Moderate | 30 High | 1 Critical
Node Version: v14.18.1
Npm: 7.20.5
React: ^17.0.2

When I use npm audit fix OR npm audit fix --force, these are the results:

68 vulnerabilities (21 moderate, 45 high, 2 critical)
47 vulnerabilities (12 low, 18 moderate, 15 high, 2 critical)
58 vulnerabilities (16 moderate, 40 high, 2 critical)
48 vulnerabilities (12 low, 18 moderate, 16 high, 2 critical)
58 vulnerabilities (16 moderate, 40 high, 2 critical)

Here is the audit detail: Text File Link What I'm doing wrong?

• javascript
• node.js
• reactjs
• npm

• 1 I was confused and thought I'm doing something wrong – Aly Commented Oct 14, 2021 at 18:49
• 1 Does this answer your question? Npm audit fix --force react script downgrade automatically – Andrey Commented Nov 11, 2021 at 10:15

1 Answer 1

It's an NPM Bug. See here for a longer explanation. You just need to put react-scripts in dev dependices like that

"dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
   },
  "devDependencies": {
    "react-scripts": "4.0.3"
  },

This issue has already been solved on GitHub. https://github./facebook/create-react-app/issues/11174 If you really want to audit use npm audit --production.