Running the npx script create-react-app installs the react-scripts module when it does its work, but the various scripts therein often have one or more vulnerabilities in them, according to npm audit. This is a bit distracting, because you would normally never want to see any warnings or errors from an audit, especially when you haven’t even written any code.

People regularly report these problems to the create-react-app developers, but it turns out to be unnecessary in most cases. The developers close most of the reports, with the following explanation.

The npm audit tool runs over all of the installed npm modules that you have, but it really only needs to be run against the code that would run in production, not all of the npm modules. It’s not really a denial-of-service vulnerability, for example, if a module only executes when you occasionally run it during development on your machine. The react-scripts is just such a module of scripts, and it should be excluded from both production dependencies and production audits.

For the first, in your package.json file, move react-scripts from the dependencies section to a new section called devDependencies:

"devDependencies" : {
    "react-scripts" : "4.0.3"
}

Then, when you run your audit, specify the –production option:

npm audit --production

Hopefully, if you’re running a modern version of the modules, your audit should be clean after these changes.