Unable to create-react-app due to vulnerabilities

[sanklamm]

Is this a bug report?

yes

Did you try recovering your dependencies?

Yes. Nothing changed.

npm --version
6.6.0

yarn --version
1.13.0

Which terms did you search for in User Guide?

vulnerabilities, failure, aborted installation

Environment

Environment Info:

  System:
    OS: Linux 4.19 Debian GNU/Linux buster/sid undefined
    CPU: x64 Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
  Binaries:
    Node: 10.8.0 - /usr/local/bin/node
  Browsers:
    Chrome: 65.0.3325.181
    Firefox: 60.4.0
  npmPackages:
    react: Not Found
    react-dom: Not Found
    react-scripts: Not Found
  npmGlobalPackages:
    create-react-app: Not Found

Steps to Reproduce

Start a new react app in a new project.

1. update npm globally
2. npm install -g create-react-app
3. `create-react-app my-app

or

1. install yarn
2. yarn create react-app my-app

or

1. npx create-react-app my-app

Expected Behavior

Create the react app in my-app.

Actual Behavior

In all three cases the installation starts but it reports vulnerabilities and aborts the installation and deletes the generated files node_nodules and package.json which makes it impossible to run the recommended step npm audit fix.

npx create-react-app my-app

Creating a new React app in /home/foo/bar/project/my-app.

Aborted
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...

+ react-dom@16.7.0
+ react@16.7.0
+ react-scripts@0.9.5
added 965 packages from 653 contributors and audited 9025 packages in 38.641s
found 39 vulnerabilities (5 low, 27 moderate, 6 high, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

Aborting installation.
  npm install --save --save-exact --loglevel error react react-dom react-scripts@0.9.x has failed.

Deleting generated file... node_modules
Deleting generated file... package.json
Done.

yarn create react-app my-app

yarn create v1.13.0
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Installed "create-react-app@2.1.3" with binaries:
      - create-react-app
[################################################################] 64/64
Creating a new React app in /home/foo/bar/project/my-app.

Aborted
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...

+ react-dom@16.7.0
+ react@16.7.0
+ react-scripts@0.9.5
added 965 packages from 653 contributors and audited 9025 packages in 35.877s
found 39 vulnerabilities (5 low, 27 moderate, 6 high, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

Aborting installation.
  npm install --save --save-exact --loglevel error react react-dom react-scripts@0.9.x has failed.

Deleting generated file... node_modules
Deleting generated file... package.json
Done.
Aborted
error Command failed.
Exit code: 134
Command: /home/my-user/.yarn/bin/create-react-app
Arguments: my-app
Directory: /home/foo/bar/project
Output:

info Visit https://yarnpkg.com/en/docs/cli/create for documentation about this command.

Reproducible Demo

I can't even create an app. That is the issue.

[MulleOne]

Try running this command:
npm cache clean --force then later create-react-app app-name

[gaearon]

It's super weird to see react-scripts@0.9.5 in the logs; that's a version from a few years ago.