# npm audit report ajv <6.12.3 Severity: moderate Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw fix available via `npm audit fix --force` Will install serve@14.1.2, which is a breaking change node_modules/serve/node_modules/ajv serve 7.0.0 - 14.0.1 Depends on vulnerable versions of ajv Depends on vulnerable versions of serve-handler node_modules/serve ansi-html <0.0.8 Severity: high Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9 fix available via `npm audit fix --force` Will install react-scripts@5.0.1, which is a breaking change node_modules/ansi-html @pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6 Depends on vulnerable versions of ansi-html node_modules/@pmmmwh/react-refresh-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts @craco/craco 2.1.0 - 2.2.3 || 6.0.0 - 6.4.5 Depends on vulnerable versions of react-scripts node_modules/@craco/craco craco-less 1.0.4 - 1.20.0 Depends on vulnerable versions of react-scripts node_modules/craco-less webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server ansi-regex 3.0.0 || 4.0.0 - 4.1.0 || 5.0.0 Severity: high Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw fix available via `npm audit fix` node_modules/ansi-align/node_modules/ansi-regex node_modules/boxen/node_modules/ansi-regex node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex node_modules/npm/node_modules/string-width/node_modules/ansi-regex node_modules/ora/node_modules/ansi-regex node_modules/webpack-dev-server/node_modules/ansi-regex node_modules/widest-line/node_modules/ansi-regex async 2.0.0 - 2.6.3 Severity: high Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25 fix available via `npm audit fix` node_modules/async axios <0.21.2 Severity: high axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x No fix available node_modules/axios @bflow/bflow-approvals-public-contracts * Depends on vulnerable versions of axios node_modules/@bflow/bflow-approvals-public-contracts @bflow/bflow-identity-server-public-contracts * Depends on vulnerable versions of axios node_modules/@bflow/bflow-identity-server-public-contracts @bflow/bflow-notifications-public-contracts * Depends on vulnerable versions of axios node_modules/@bflow/bflow-notifications-public-contracts @bflow/bflow-registry-of-deeds-public-contracts * Depends on vulnerable versions of axios node_modules/@bflow/bflow-registry-of-deeds-public-contracts browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5 fix available via `npm audit fix --force` Will install react-scripts@5.0.1, which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils 0.5.2 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts @craco/craco 2.1.0 - 2.2.3 || 6.0.0 - 6.4.5 Depends on vulnerable versions of react-scripts node_modules/@craco/craco craco-less 1.0.4 - 1.20.0 Depends on vulnerable versions of react-scripts node_modules/craco-less d3-color <3.1.0 Severity: high d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58 fix available via `npm audit fix --force` Will install ant-design-pro@0.3.1, which is a breaking change node_modules/@nivo/colors/node_modules/d3-color node_modules/@nivo/core/node_modules/d3-color node_modules/d3-color @antv/l7-layers * Depends on vulnerable versions of @antv/l7-utils Depends on vulnerable versions of d3-color node_modules/@antv/l7-layers @antv/l7 >=2.0.0-alpha.27 Depends on vulnerable versions of @antv/l7-component Depends on vulnerable versions of @antv/l7-layers Depends on vulnerable versions of @antv/l7-source Depends on vulnerable versions of @antv/l7-utils node_modules/@antv/l7 @antv/l7plot * Depends on vulnerable versions of @antv/l7 node_modules/@antv/l7plot @ant-design/maps * Depends on vulnerable versions of @antv/l7plot node_modules/@ant-design/charts/node_modules/@ant-design/maps @ant-design/charts >=1.3.0-beta.3 Depends on vulnerable versions of @ant-design/maps node_modules/@ant-design/charts @antv/l7-scene <=2.0.0-beta.1 || >=2.0.15 Depends on vulnerable versions of @antv/l7-component Depends on vulnerable versions of @antv/l7-layers Depends on vulnerable versions of @antv/l7-utils node_modules/@antv/l7-scene @antv/l7-utils >=2.0.15 Depends on vulnerable versions of d3-color node_modules/@antv/l7-utils @antv/l7-component >=2.0.15 Depends on vulnerable versions of @antv/l7-utils node_modules/@antv/l7-component @antv/l7-core >=2.0.15 Depends on vulnerable versions of @antv/l7-utils node_modules/@antv/l7-core @antv/l7-maps <=2.0.0-beta.1 || >=2.0.15 Depends on vulnerable versions of @antv/l7-core Depends on vulnerable versions of @antv/l7-map Depends on vulnerable versions of @antv/l7-utils node_modules/@antv/l7-maps @antv/l7-renderer <=2.0.0-beta.1 || >=2.0.15 Depends on vulnerable versions of @antv/l7-core node_modules/@antv/l7-renderer @antv/l7-map * Depends on vulnerable versions of @antv/l7-utils node_modules/@antv/l7-map @antv/l7-source * Depends on vulnerable versions of @antv/l7-utils Depends on vulnerable versions of @mapbox/geojson-rewind node_modules/@antv/l7-source @nivo/colors * Depends on vulnerable versions of @nivo/core Depends on vulnerable versions of d3-color node_modules/@nivo/colors @nivo/marimekko * Depends on vulnerable versions of @nivo/colors Depends on vulnerable versions of d3-scale node_modules/@nivo/marimekko @nivo/core * Depends on vulnerable versions of @nivo/tooltip Depends on vulnerable versions of d3-color Depends on vulnerable versions of d3-interpolate Depends on vulnerable versions of d3-scale-chromatic node_modules/@nivo/core @nivo/axes * Depends on vulnerable versions of @nivo/core Depends on vulnerable versions of @nivo/scales node_modules/@nivo/axes @nivo/legends >=0.56.0 Depends on vulnerable versions of @nivo/core node_modules/@nivo/legends @nivo/tooltip * Depends on vulnerable versions of @nivo/core node_modules/@nivo/tooltip d3-interpolate 0.1.3 - 2.0.1 Depends on vulnerable versions of d3-color node_modules/@antv/g/node_modules/d3-interpolate node_modules/@nivo/core/node_modules/d3-interpolate node_modules/bizcharts/node_modules/d3-interpolate node_modules/d3-interpolate @antv/g <=3.5.0-beta.6 Depends on vulnerable versions of d3-interpolate node_modules/@antv/g node_modules/bizcharts/node_modules/@antv/component/node_modules/@antv/g @antv/component * Depends on vulnerable versions of @antv/g Depends on vulnerable versions of @antv/g-base node_modules/@antv/component node_modules/bizcharts/node_modules/@antv/component @antv/g2 <=4.2.8 Depends on vulnerable versions of @antv/component Depends on vulnerable versions of @antv/g Depends on vulnerable versions of @antv/g-base Depends on vulnerable versions of venn.js node_modules/@antv/g2 node_modules/bizcharts/node_modules/@antv/g2 @antv/g2plot >=1.0.0 Depends on vulnerable versions of @antv/g2 node_modules/@antv/g2plot @ant-design/plots * Depends on vulnerable versions of @antv/g2plot node_modules/@ant-design/plots bizcharts <=3.5.10 Depends on vulnerable versions of @antv/g2 node_modules/bizcharts ant-design-pro >=1.0.0 Depends on vulnerable versions of bizcharts node_modules/ant-design-pro @antv/g-base * Depends on vulnerable versions of d3-interpolate node_modules/@antv/g-base @antv/g-canvas <=0.5.12 Depends on vulnerable versions of @antv/g-base node_modules/@antv/g-canvas @antv/g-svg <=0.5.6 Depends on vulnerable versions of @antv/g-base node_modules/@antv/g-svg @antv/g6-core * Depends on vulnerable versions of @antv/g-base node_modules/@antv/g6-core @antv/g6-element * Depends on vulnerable versions of @antv/g-base node_modules/@antv/g6-element @antv/g6-pc * Depends on vulnerable versions of @antv/g-base node_modules/@antv/g6-pc @antv/g6 >=4.1.0-beta.0 Depends on vulnerable versions of @antv/g6-pc node_modules/@antv/g6 @ant-design/graphs * Depends on vulnerable versions of @antv/g6 node_modules/@ant-design/charts/node_modules/@ant-design/graphs @antv/g6-plugin * Depends on vulnerable versions of @antv/g-base node_modules/@antv/g6-plugin d3-scale 0.1.5 - 3.3.0 Depends on vulnerable versions of d3-interpolate node_modules/@nivo/colors/node_modules/d3-scale node_modules/@nivo/core/node_modules/d3-scale node_modules/@nivo/marimekko/node_modules/d3-scale node_modules/@nivo/scales/node_modules/d3-scale node_modules/d3-scale @nivo/scales * Depends on vulnerable versions of d3-scale node_modules/@nivo/scales d3-scale-chromatic 0.1.0 - 2.0.0 Depends on vulnerable versions of d3-color Depends on vulnerable versions of d3-interpolate node_modules/d3-scale-chromatic d3-transition 0.0.7 - 2.0.0 Depends on vulnerable versions of d3-color Depends on vulnerable versions of d3-interpolate node_modules/d3-transition venn.js >=0.2.11 Depends on vulnerable versions of d3-transition node_modules/venn.js ejs <3.1.7 Severity: critical ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q fix available via `npm audit fix --force` Will install react-scripts@5.0.1, which is a breaking change node_modules/ejs @surma/rollup-plugin-off-main-thread <=2.1.0 Depends on vulnerable versions of ejs node_modules/@surma/rollup-plugin-off-main-thread workbox-build 5.0.0-alpha.0 - 6.3.0 Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread node_modules/workbox-build workbox-webpack-plugin 5.0.0-alpha.0 - 5.1.4 || 6.2.2 - 6.3.0 Depends on vulnerable versions of workbox-build node_modules/workbox-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts @craco/craco 2.1.0 - 2.2.3 || 6.0.0 - 6.4.5 Depends on vulnerable versions of react-scripts node_modules/@craco/craco craco-less 1.0.4 - 1.20.0 Depends on vulnerable versions of react-scripts node_modules/craco-less eventsource <1.1.1 Severity: critical Exposure of Sensitive Information in eventsource - https://github.com/advisories/GHSA-6h5x-7c5m-7cr7 fix available via `npm audit fix` node_modules/eventsource follow-redirects <1.14.8 Severity: moderate Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c fix available via `npm audit fix` node_modules/follow-redirects glob-parent <5.1.2 Severity: high glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via `npm audit fix --force` Will install react-scripts@5.0.1, which is a breaking change node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts @craco/craco 2.1.0 - 2.2.3 || 6.0.0 - 6.4.5 Depends on vulnerable versions of react-scripts node_modules/@craco/craco craco-less 1.0.4 - 1.20.0 Depends on vulnerable versions of react-scripts node_modules/craco-less glob-stream 5.3.0 - 6.1.0 Depends on vulnerable versions of glob-parent node_modules/glob-stream vinyl-fs >=2.4.2 Depends on vulnerable versions of glob-stream node_modules/vinyl-fs i18next-scanner >=1.3.0 Depends on vulnerable versions of vinyl-fs node_modules/i18next-scanner html-parse-stringify2 * Severity: moderate Regular expression denial of service (ReDoS) - https://github.com/advisories/GHSA-545q-3fg6-48m7 fix available via `npm audit fix --force` Will install react-i18next@11.18.6, which is outside the stated dependency range node_modules/html-parse-stringify2 react-i18next 5.4.0 - 11.8.12 Depends on vulnerable versions of html-parse-stringify2 node_modules/react-i18next immer <9.0.6 Severity: critical Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h fix available via `npm audit fix --force` Will install react-scripts@5.0.1, which is a breaking change node_modules/immer node_modules/react-dev-utils/node_modules/immer @reduxjs/toolkit <=1.5.1 Depends on vulnerable versions of immer node_modules/@reduxjs/toolkit react-dev-utils 0.5.2 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts @craco/craco 2.1.0 - 2.2.3 || 6.0.0 - 6.4.5 Depends on vulnerable versions of react-scripts node_modules/@craco/craco craco-less 1.0.4 - 1.20.0 Depends on vulnerable versions of react-scripts node_modules/craco-less json-schema <0.4.0 Severity: critical json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw fix available via `npm audit fix` node_modules/npm/node_modules/json-schema jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1 Depends on vulnerable versions of json-schema node_modules/npm/node_modules/jsprim loader-utils <=1.4.1 || 2.0.0 - 2.0.3 Severity: critical Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488 loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488 fix available via `npm audit fix --force` Will install react-scripts@5.0.1, which is a breaking change node_modules/babel-loader/node_modules/loader-utils node_modules/html-webpack-plugin/node_modules/loader-utils node_modules/loader-utils node_modules/mini-css-extract-plugin/node_modules/loader-utils node_modules/postcss-loader/node_modules/loader-utils node_modules/react-dev-utils/node_modules/loader-utils node_modules/resolve-url-loader/node_modules/loader-utils node_modules/webpack/node_modules/loader-utils react-dev-utils 0.5.2 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts @craco/craco 2.1.0 - 2.2.3 || 6.0.0 - 6.4.5 Depends on vulnerable versions of react-scripts node_modules/@craco/craco craco-less 1.0.4 - 1.20.0 Depends on vulnerable versions of react-scripts node_modules/craco-less resolve-url-loader 1.0.3 - 2.0.0 || 3.0.1 - 4.0.0-beta.2 Depends on vulnerable versions of loader-utils node_modules/resolve-url-loader minimatch <3.0.5 Severity: high minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3 fix available via `npm audit fix --force` Will install serve@14.1.2, which is a breaking change node_modules/minimatch node_modules/npm/node_modules/minimatch recursive-readdir 1.2.0 - 2.2.2 Depends on vulnerable versions of minimatch node_modules/recursive-readdir react-dev-utils 0.5.2 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts @craco/craco 2.1.0 - 2.2.3 || 6.0.0 - 6.4.5 Depends on vulnerable versions of react-scripts node_modules/@craco/craco craco-less 1.0.4 - 1.20.0 Depends on vulnerable versions of react-scripts node_modules/craco-less serve-handler 1.1.0 - 6.1.3 Depends on vulnerable versions of minimatch node_modules/serve-handler serve 7.0.0 - 14.0.1 Depends on vulnerable versions of ajv Depends on vulnerable versions of serve-handler node_modules/serve minimist <=1.2.5 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m fix available via `npm audit fix --force` Will install @ant-design/charts@1.2.14, which is a breaking change node_modules/minimist node_modules/sharkdown/node_modules/minimist sharkdown * Depends on vulnerable versions of minimist node_modules/sharkdown @mapbox/geojson-rewind <=0.4.1 Depends on vulnerable versions of sharkdown node_modules/@mapbox/geojson-rewind @antv/l7-source * Depends on vulnerable versions of @antv/l7-utils Depends on vulnerable versions of @mapbox/geojson-rewind node_modules/@antv/l7-source @antv/l7 >=2.0.0-alpha.27 Depends on vulnerable versions of @antv/l7-component Depends on vulnerable versions of @antv/l7-layers Depends on vulnerable versions of @antv/l7-source Depends on vulnerable versions of @antv/l7-utils node_modules/@antv/l7 @antv/l7plot * Depends on vulnerable versions of @antv/l7 node_modules/@antv/l7plot @ant-design/maps * Depends on vulnerable versions of @antv/l7plot node_modules/@ant-design/charts/node_modules/@ant-design/maps @ant-design/charts >=1.3.0-beta.3 Depends on vulnerable versions of @ant-design/maps node_modules/@ant-design/charts moment <=2.29.3 Severity: high Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4 Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g fix available via `npm audit fix` node_modules/moment node-fetch <=2.6.6 Severity: high The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g No fix available node_modules/node-fetch isomorphic-fetch 2.0.0 - 2.2.1 Depends on vulnerable versions of node-fetch node_modules/isomorphic-fetch fbjs 0.7.0 - 1.0.0 Depends on vulnerable versions of isomorphic-fetch node_modules/fbjs recompose >=0.18.0 Depends on vulnerable versions of fbjs node_modules/recompose @axa-fr/react-oidc-redux * Depends on vulnerable versions of recompose node_modules/@axa-fr/react-oidc-redux node-forge <=1.2.1 Severity: moderate Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq fix available via `npm audit fix --force` Will install react-scripts@5.0.1, which is a breaking change node_modules/node-forge selfsigned 1.1.1 - 1.10.14 Depends on vulnerable versions of node-forge node_modules/selfsigned webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts @craco/craco 2.1.0 - 2.2.3 || 6.0.0 - 6.4.5 Depends on vulnerable versions of react-scripts node_modules/@craco/craco craco-less 1.0.4 - 1.20.0 Depends on vulnerable versions of react-scripts node_modules/craco-less npm 7.9.0 - 8.10.0 Severity: high Packing does not respect root-level ignore files in workspaces - https://github.com/advisories/GHSA-hj9c-8jmm-8c52 fix available via `npm audit fix --force` Will install npm@9.1.2, which is a breaking change node_modules/npm nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via `npm audit fix --force` Will install react-scripts@5.0.1, which is a breaking change node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts @craco/craco 2.1.0 - 2.2.3 || 6.0.0 - 6.4.5 Depends on vulnerable versions of react-scripts node_modules/@craco/craco craco-less 1.0.4 - 1.20.0 Depends on vulnerable versions of react-scripts node_modules/craco-less postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default <=4.0.8 Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin shell-quote <=1.7.2 Severity: critical Improper Neutralization of Special Elements used in a Command in Shell-quote - https://github.com/advisories/GHSA-g4rg-993r-mgx7 fix available via `npm audit fix --force` Will install react-scripts@5.0.1, which is a breaking change node_modules/shell-quote react-dev-utils 0.5.2 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of resolve-url-loader Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts @craco/craco 2.1.0 - 2.2.3 || 6.0.0 - 6.4.5 Depends on vulnerable versions of react-scripts node_modules/@craco/craco craco-less 1.0.4 - 1.20.0 Depends on vulnerable versions of react-scripts node_modules/craco-less terser >=5.0.0 <5.14.2 || <4.8.1 Severity: high Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc fix available via `npm audit fix` node_modules/terser node_modules/terser-webpack-plugin/node_modules/terser url-parse <=1.5.8 Severity: critical Incorrect hostname / protocol due to unstripped leading control characters. - https://github.com/advisories/GHSA-jf5r-8hm2-f872 Authorization Bypass Through User-Controlled Key in url-parse - https://github.com/advisories/GHSA-hgjh-723h-mx2j Authorization bypass in url-parse - https://github.com/advisories/GHSA-rqff-837h-mm52 Incorrect returned href via an '@' sign but no user info and hostname - https://github.com/advisories/GHSA-8v38-pw62-9cw2 fix available via `npm audit fix` node_modules/url-parse 108 vulnerabilities (4 low, 9 moderate, 77 high, 18 critical) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency.