npx create-react-app 9 vulnerabilities (3 moderate, 6 high)

[Hell0WorldAgain]

Describe the bug

While I trying to initiate and install node modules using "npx create-react-app" and auditing uisng "npm audit", it gives below issues:

npm audit report

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/svgo/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=0.1.0 Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts

postcss <8.4.31 Severity: moderate PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/resolve-url-loader/node_modules/postcss resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0 Depends on vulnerable versions of postcss node_modules/resolve-url-loader

webpack-dev-server <=5.2.0 Severity: moderate webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser - https://github.com/advisories/GHSA-9jgg-88mc-972h webpack-dev-server users' source code may be stolen when they access a malicious web site - https://github.com/advisories/GHSA-4v9v-hfq4-rm2v fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/webpack-dev-server

9 vulnerabilities (3 moderate, 6 high)

To address all issues (including breaking changes), run: npm audit fix --force

Did you try recovering your dependencies?

I've tried fixing normally and forcefully as well, fixing normally did nothing but fixing forcefully modify the "react-scripts" version to 0.0.0.0 . Have tried re-installing npm after removing "package-lock.json" & "npm_modules" folder, found nothing to be move with.

Which terms did you search for in User Guide?

Search with the same term "npx create-react-app audit error fix" but couldn't found anything helpful. Also, I get to know this issue is too old but React or Facebook team didn't care to fix this issue, IDK why ?

Environment

Environment Info:

current version of create-react-app: 5.1.0 running from C:\Users\admin\AppData\Local\npm-cache_npx\c67e74de0542c87c\node_modules\create-react-app

System: OS: Windows 11 10.0.22631 CPU: (8) x64 Intel(R) Core(TM) i7-8665U CPU @ 1.90GHz Binaries: Node: 22.17.1 - C:\Program Files\nodejs\node.EXE Yarn: Not Found npm: 10.9.2 - C:\Program Files\nodejs\npm.CMD Browsers: Chrome: Not Found Edge: Chromium (139.0.3405.125) Internet Explorer: 11.0.22621.3527 npmPackages: react: ^19.1.1 => 19.1.1 react-dom: ^19.1.1 => 19.1.1 react-scripts: 5.0.1 => 5.0.1 npmGlobalPackages: create-react-app: Not Found

Steps to reproduce

1. npx create-react-app
2. npm audit
3. npm audit

Expected behavior

There shouldn't be any vulnerabilities errors there in just installing node modules. It's a core bug not any other package or libraries

Actual behavior

Getting "9 vulnerabilities (3 moderate, 6 high)" issue by just installing NPM package using create-react-app

What happens if you skip this step?

As I skip this issue, there might not be any issue in empty node environment, but I tried installing MUI library and it broke.