Security vulnerabilities in indirect dependencies (svgo, postcss, webpack-dev-server) via react-scripts #17120
Description
Body:
Hello,
I am using the latest version of react-scripts with Create React App. After running npm audit, I still see several high and moderate security vulnerabilities in indirect dependencies, mainly:
nth-check via svgo → @svgr/plugin-svgo → @svgr/webpack → react-scripts
postcss via resolve-url-loader
webpack-dev-server
Running npm audit fix does not resolve these issues. Running npm audit fix --force suggests downgrading react-scripts to 0.0.0, which breaks the project.
Steps to reproduce:
Create a new CRA project (npx create-react-app my-app)
Run npm audit
Observe the vulnerabilities in the report
Expected behavior:
Updating to the latest react-scripts should resolve known vulnerabilities, or at least provide a path to do so without breaking the project.
Actual behavior:
Vulnerabilities remain due to outdated indirect dependencies. There is no safe way to resolve them.
Environment:
OS: Windows 10/11
Node: v22.15.0
npm: 11.4.2
react-scripts: (the error, still present after npm install)
npx react-scripts --version
'2\jsx\node_modules.bin' is not recognized as an internal or external command,
operable program or batch file.
node:internal/modules/cjs/loader:1404
throw err;
^
Error: Cannot find module 'D:\developpement\Formation\React\Modern_React_With_Redux\react-scripts\bin\react-scripts.js'
at Function._resolveFilename (node:internal/modules/cjs/loader:1401:15)
at defaultResolveImpl (node:internal/modules/cjs/loader:1057:19)
at resolveForCJSWithHooks (node:internal/modules/cjs/loader:1062:22)
at Function._load (node:internal/modules/cjs/loader:1211:37)
at TracingChannel.traceSync (node:diagnostics_channel:322:14)
at wrapModuleLoad (node:internal/modules/cjs/loader:235:24)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:170:5)
at node:internal/main/run_main_module:36:49 {
code: 'MODULE_NOT_FOUND',
requireStack: []
}
Node.js v22.15.0
Additional context:
This issue affects many users and is visible in new and existing projects. Are there plans to update these dependencies or provide guidance for users concerned about these vulnerabilities?
Thank you!