How to fix Vulnerability in react-scripts

[LiamK021]

Hi,
I have worked with React projects, and I have 9 vulnerabilities when I run npm command npm audit command
And when I run the command npm audit fix, it doesn't fix those vulnerabilities.

I have googled and found that some answers.
For example:
To fix optimize-css-assets-webpack-plugin pulgin: I need to update to version 5.0.6 from 5.0.4

But how can this npm module is only listed in package-lock.json (as in the required npm module of react-scripts) but not in package.json

Please help me how to upgrade optimize-css-assets-webpack-plugin npm module?
And is there any other way to fix these vulnerabilities?

[akachi1409]

Hi, Liam
I have had the same error and tried to find out the solution.

I have found that yarn is better than npm in dependency management, so I have used yarn to install the npm package and add the following code to the package.json file.

And if you run yarn audit command, you can check the result.

[LiamK021]

Thanks, trusteddev1325
It has some warnings but removed all the vulnerabilites.

[gaearon]

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.