**There are no actual vulnerabilities here.** CRA 4.0.3, package dev dependency

[NickCarducci]

releasing CRA 5 to the public may fix this issue

Environment

npx create-react-app --info

Environment Info:

  current version of create-react-app: 4.0.3
  running from /home/sandbox/.npm/_npx/850/lib/node_modules/create-react-app

  System:
    OS: Linux 5.4 Debian GNU/Linux 10 (buster) 10 (buster)
    CPU: (12) x64 Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz
  Binaries:
    Node: 14.17.6 - ~/.nvm/versions/node/v14.17.6/bin/node
    Yarn: 1.22.11 - ~/.nvm/versions/node/v14.17.6/bin/yarn
    npm: 6.14.15 - ~/.nvm/versions/node/v14.17.6/bin/npm
  Browsers:
    Chrome: Not Found
    Firefox: Not Found
  npmPackages:
    react: 17.0.2 => 17.0.2
    react-dom: 17.0.2 => 17.0.2
    react-scripts: ^4.0.3 => 4.0.3
  npmGlobalPackages:
    create-react-app: Not Found

Steps to reproduce

https://codesandbox.io/s/inspiring-driscoll-v5fmc
works in the codesandbox's environment, but not as a github repository to netlify with codesandbox's hidden preinstall process (npm force-resolutions?)

Expected behavior

There are no actual vulnerabilities here.

Unfortunately, npm audit has no idea that these packages are development-only dependencies. From what I can tell, none of these "vulnerabilities" actually affect your application (or even development machine) in any way.

This is pure security theater. Which is unfortunate, because it teaches people to ignore real vulnerabilities (which these are not, in the context of how they're used in CRA).

Originally posted by @gaearon in #11012 (comment)

Actual behavior

How are they used in CRA, for a package of a package?

"node-fetch": "2.6.2" is failing to be resolved because the pouchdb volunteers are busy, &/or they are sticklers for the advisory https://www.npmjs.com/advisories/1556, or they haven't noticed it:
pouchdb/pouchdb#8281 (comment)
I'll try npm force-resolutions

12:26:03 PM: # npm audit report
12:26:03 PM: browserslist  4.0.0 - 4.16.4
...
12:26:03 PM: Will install react-scripts@1.1.5, which is a breaking change
...
12:26:03 PM:   react-dev-utils  >=6.0.0-next.03604a46
12:26:03 PM:   Depends on vulnerable versions of browserslist
12:26:03 PM:   node_modules/react-dev-utils
12:26:03 PM:     react-scripts  >=0.10.0-alpha.328cb32e
...
12:26:03 PM: glob-parent  <5.1.2
12:26:03 PM: Severity: moderate
12:26:03 PM: Regular expression denial of service - https://npmjs.com/advisories/1751
12:26:03 PM: fix available via `npm audit fix --force`
12:26:03 PM: Will install react-scripts@1.1.5, which is a breaking change
12:26:03 PM: node_modules/webpack-dev-server/node_modules/glob-parent
12:26:03 PM:   chokidar  1.0.0-rc1 - 2.1.8
...
12:26:03 PM:   node_modules/webpack-dev-server/node_modules/chokidar
12:26:03 PM:     webpack-dev-server  2.0.0-beta - 3.11.2
...
12:26:03 PM:       node_modules/@pmmmwh/react-refresh-webpack-plugin
12:26:03 PM:         react-scripts  >=0.10.0-alpha.328cb32e
...
12:26:03 PM:         node_modules/react-scripts
12:26:03 PM: node-fetch  <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
12:26:03 PM: Denial of Service - https://npmjs.com/advisories/1556
12:26:03 PM: No fix available
12:26:03 PM: node_modules/pouchdb/node_modules/node-fetch
12:26:03 PM:   pouchdb  >=7.1.0
12:26:03 PM:   Depends on vulnerable versions of node-fetch
12:26:03 PM:   node_modules/pouchdb

[NickCarducci]

CRA 4 and react-scripts: "^4.0.0" requires typescript: "^3.2.1", preferably in peerDependencies;
also, I might just have to increase heap, 2048 hasn't worked (netlify gives env variable input like codesandbox, or by script which I haven't tried). just dipping my toe...........

11:14:03 PM: │                                Manual Review                                 │
11:14:03 PM: │            Some vulnerabilities require your attention to resolve            │
11:14:03 PM: │                                                                              │
11:14:03 PM: │         Visit https://go.npm.me/audit-guide for additional guidance          │
11:14:03 PM: └──────────────────────────────────────────────────────────────────────────────┘
11:14:03 PM: ┌───────────────┬──────────────────────────────────────────────────────────────┐
11:14:03 PM: │ Low           │ Denial of Service                                            │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Package       │ node-fetch                                                   │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Patched in    │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9                      │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Dependency of │ pouchdb                                                      │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Path          │ pouchdb > node-fetch                                         │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ More info     │ https://npmjs.com/advisories/1556                            │
11:14:03 PM: └───────────────┴──────────────────────────────────────────────────────────────┘
11:14:03 PM: ┌───────────────┬──────────────────────────────────────────────────────────────┐
11:14:03 PM: │ Moderate      │ Regular Expression Denial of Service                         │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Package       │ browserslist                                                 │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Patched in    │ >=4.16.5                                                     │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Dependency of │ react-scripts [dev]                                          │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Path          │ react-scripts > react-dev-utils > browserslist               │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ More info     │ https://npmjs.com/advisories/1747                            │
11:14:03 PM: └───────────────┴──────────────────────────────────────────────────────────────┘
11:14:03 PM: ┌───────────────┬──────────────────────────────────────────────────────────────┐
11:14:03 PM: │ Moderate      │ Regular expression denial of service                         │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Package       │ glob-parent                                                  │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Patched in    │ >=5.1.2                                                      │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Dependency of │ react-scripts [dev]                                          │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Path          │ react-scripts > webpack > watchpack > watchpack-chokidar2 >  │
11:14:03 PM: │               │ chokidar > glob-parent                                       │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ More info     │ https://npmjs.com/advisories/1751                            │
11:14:03 PM: └───────────────┴──────────────────────────────────────────────────────────────┘
11:14:03 PM: ┌───────────────┬──────────────────────────────────────────────────────────────┐
11:14:03 PM: │ Moderate      │ Regular expression denial of service                         │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Package       │ glob-parent                                                  │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Patched in    │ >=5.1.2                                                      │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Dependency of │ react-scripts [dev]                                          │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ Path          │ react-scripts > webpack-dev-server > chokidar > glob-parent  │
11:14:03 PM: ├───────────────┼──────────────────────────────────────────────────────────────┤
11:14:03 PM: │ More info     │ https://npmjs.com/advisories/1751                            │
11:14:03 PM: └───────────────┴──────────────────────────────────────────────────────────────┘
11:14:03 PM: found 4 vulnerabilities (1 low, 3 moderate) in 2397 scanned packages
11:14:03 PM:   4 vulnerabilities require manual review. See the full report for details.

[gaearon]

There is no actual vulnerability here. Our policy is to close such issues.
#11174