react-scripts showing false critical vulnerabilities is ANNOYING

[jap99]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

'npm audit' results in 10's, 100's of vulnerabilities, many / most being listed as critical.

Even though these false positive vulnerabilities are simply false positives, they're not only extremely annoying, but they will make it too difficult to identify anytime there is a real attack against the build toolchain because it will be hidden / buried in w/ all the false positives.

Please fix this ASAP.

Expected Behavior

Stop showing false positives; start with react-scripts.

Steps To Reproduce

Open multiple different react projects.
Each react project should have different versions of react, node, & other popular npm packages.
Do 'npm audit' & you'll see the issues.

Thank you.

Environment

No response

[lil5]

This "bug" is a symptom of a larger problem.

Some developers are of the opinion that because their package only runs on a developer's machine certain vulnerabilities would not effect their package (ddos).
Others have started bundling the vulnerable packages inside their package sidelining npm's audit system.

Hiding all 💯 vulnerabilities for those packages IMO will not help, as it gives a false sense of security.

I propose altering npm's deprecation system to be able to specify if the vulnerability will affect non-live environments.

[fritzy]

This is being addressed and discussed as an RFC. Feel free to join the conversation. npm/rfcs#422