DEV Community

Amapola-Negra
Amapola-Negra

Posted on

Help needed with some vulnerability issues

Hi everybody. I'm new. I don't know if this is the rigth place to ask for help. I'm practising with REACt. I have updated node in my machine and I executed the code "npx create-react-app my-app" to start working with react. The app was installed but, in the process there was a messagge about vulnerabilities found. I don't know if this has to do with the package or what. What can I do? Thanks in advance.

Regards :)

Image description

Top comments (7)

Collapse
 
bpsagar profile image
Sagar Chakravarthy

Hmm probably need to update npm to latest version and re-run.

You could also run npm audit to understand more about the vulnerabilities.

Collapse
 
amapolanegra profile image
Amapola-Negra

Thanks Sagar. I run the comand but it gives me error. It says "This command requires an existing lockfile. How is the process of updating and rerunning npm ? Thanks again in advance.

Regards :)

Collapse
 
bpsagar profile image
Sagar Chakravarthy

Ah my bad. Create react app is probably using yarn. We'll have to find a similar audit command for yarn. (I think there yarn audit for it)

Also if this is a personal project, you could ignore these vulnerabilities. It's good to resolve this if you are using this code on production. Otherwise it should be okay to ignore.
Generally at bigger companies they subscribe to some automated tools that finds and fixes these vulnerabilities automatically for you.

Thread Thread
 
amapolanegra profile image
Amapola-Negra

Hi again Sagar. Well I'm not happy with the reply. It is true that it is a personal project since I'm learning, but I think it is not a good practise to ignore vulnerabilities. I've searched the web and there is a lot of vulnerabilities reported regarding this package. So, it is not my node, it is not my npm. I have the last version of both. But at the time the package is getting installed the terminal shows a lot of deprecated dependencies.
I know it is not your responsibility, but I think I must report this to the people in charge of this package so that they could fix the problem. Where could I find them?
At the same time I would like to know if there would be another way to work with REACT in my machine without this package. Thanks in advance.

Regards:)

Thread Thread
 
bpsagar profile image
Sagar Chakravarthy

Fair point Amapola! Generally, you can raise this on the Github repository's issues. I did a quick search in create-react-app's issues and found a similar issue reported already. We could follow the conversation there.

Thread Thread
 
amapolanegra profile image
Amapola-Negra

Hi again Sagar. Thanks for your reply. I executed again 'npm audit' in my folder and again it gave me erros, and told me that "the command required a lockfile". Then I introduced 'npm i --package-lock-only'. Again new errors, but I typed 'npm audit' and eventually the terminal sowed '0 vulnerabilities'. So I don't understand why npm detects vulnerabilities that don't exist. Thank you very much for your help.

Regards :)

Thread Thread
 
bpsagar profile image
Sagar Chakravarthy

told me that "the command required a lockfile"

Probably create-react-app uses yarn instead of npm. So yarn audit might have worked. But under the hood yarn and npm do similar things — package management.

So I don't understand why npm detects vulnerabilities that don't exist

That's strange, not sure what is happening here.

Thank you very much for your help

No problem 🙂