"react-scripts": By When vulnerability fixes be rolled out on npm?

[naminder]

Updation of various packages like:
Jest 27x
ansi-html
ansi-regex
browserslist
css-what
einaros/ws
glob-parent
immer
node-shell-quote
nth-check
semver-regex
set-value
sindresorhus/normalize-url

[twocs]

Ejecting is just not good enough when there is the vulnerable react-scripts. We need to npm uninstall react-scripts and then do something like install webpack, which is a hassle but now we don't have vulnerabilities anymore.

[naminder]

So what you are suggesting is to go for eject and fix vulnerabilities?

Also, I see https://github.com/facebook/create-react-app/blob/main/packages/react-scripts/package.json.

Most of the fixes are already there in the repo, just not part of npm registered "react-scripts"