Npm audit fix --force react script downgrade automatically

Solution 1:

One of the create-react-app maintainers has announced that they cannot fix this as the vulnerabilities affect transitive dependencies, and that it should not matter.

The reasoning is that the npm audit feature was built with Node apps in mind, not build tools. Vulnerabilities in the dependencies should (in most cases) not translate to vulnerabilities in the static web app produced by create-react-app.

A possible workaround is to move react-scripts to the devDependencies section in your package.json and use npm audit --production to audit your dependencies.

Source: https://github.com/facebook/create-react-app/issues/11174

Solution 2:

A few developers are now slowly getting this hopefully temporary problem when they update their projects.

For example: https://github.com/facebook/create-react-app/issues/11012

Recommendation is to leave this on the todo list, and wait a few days while the package developers fix this (at least for the packages that already have been notified)

Then run audit fix again

In the meantime, one error in particular the 'high' severity one...

dns-packet  <5.2.2
Severity: high
Memory Exposure - https://npmjs.com/advisories/1745

https://npmjs.com/advisories/1745

Would be an problem if the react-application is running in dev mode on a public network e.g. running a server in dev mode on heroku via npm run start to the whole world (a BAD idea, consider searching how to deploy in react application in production mode, there are a few methods).

If you are @home, on a local network, you should be ok.

If you are on public wifi - just don't for now