dan

>What if the low-level dependencies of transitive packages are deprecated and there is no fix until those low-level dependencies are updated? My question is *what are you trying to fix,...

>I moved react-scripts to devDependencies as you said, but it does not solve the reporting problem, and I still get npm audit warnings. Yes, you're right. It appears that **it's...

@bcagarwal I empathize with this but I really don't know what we should be doing here. I feel out of my depth. npm added these warnings without consulting or working...

As a first step, this might (if it works) at least reduce the confusion for newly created projects: https://github.com/facebook/create-react-app/pull/11176.

I'll also be reaching out to our contacts at Node/npm to see how we can solve this at the ecosystem level.

> But there's no way that vulnerability in one of the react-scripts dependencies going to cause a vulnerability in the "produced static assets"? In theory, yes, of course. In practice,...

> Can you confirm that the chance of that is totally zero? That is not what I’m saying. I’m not saying the risk of using software is zero. If you...

I think we're in agreement here. Of course we'd like to have a mechanism for _reliable_ security flags. One thing we've been doing historically is to tag vulnerable releases of...

One thing we can consider is to **bundle dependencies at publish time**. This way, they won't show up in dep trees. Startup would be faster too. I'm seeing both Next.js...

> whats the proper solution here? The solution is to loudly complain to npm until this is fixed.