I recently acquired a new computer, and set about to see if I could re-create my python/react setup by checking out my source code from github.
Everything went pretty smoothly, except when I run npm audit fix I get this puzzling output:
PS C:\blah> npm audit fix
up to date, audited 2022 packages in 3s
142 packages are looking for funding
run `npm fund` for details
# npm audit report
react <0.14.0
Severity: high
Cross-Site Scripting - https://npmjs.com/advisories/1347
fix available via `npm audit fix`
1 high severity vulnerability
To address all issues, run:
npm audit fixnpm audit fix is doing nothing, and then telling me to run npm audit fix. Something is not right here!
I tried removing package-lock.json and node-modules and running npm install, which upgraded a few things – that’s nice, I suppose – but I end up in the same situation.
The strange thing is, when I check npm list react, it shows react 16.14.0! There is no secret version of react <0.14.0 anywhere. I checked npm list -g react just for good measure, and it’s empty. What gives?
When I install react/react-dom 16.14.0 into an empty directory, the vulnerability isn’t there. So it must be one of my other dependencies – but I remove them one by one, and I get all the way down to just react and react-dom and the vulnerability is still there! What?? Okay, so what if I take the directory without the vulnerability, and add stuff to it until it looks like my project? What then, npm audit boy??
The first thing I do is rename the directory, and bam, that’s it. The vulnerability is in both places now. I have chosen an unfortunate name for my directory of react code: “react”! npm audit must think that I’m inside a react package of version 0, and so it complains about version <0.14.0.
I suppose I should think of a better name for that directory… but at least I know what’s going on now.