I created a React project using npx create-react-app my-app command. I then tested the project using npm start. When I commit the project to Github, I get a security advisory in the project page.
serialize-javascript vulnerability found in yarn.lock
**Remediation**
Upgrade serialize-javascript to version 2.1.1 or later.
I do not have the serialize-javascript dependency in my package.json file. Here is the project in Github - https://github.com/shankarps/ReactPracticeProject/
How can i fix this error?
How can i ensure that the latest dependencies are included in the project when it is created?
This GitHub issue has a pretty good conversation on this:
https://github.com/yarnpkg/yarn/issues/4986
"The workaround of adding sub-dep A as a direct dep just to fix a security issue is worse because it creates confusion (the package is not used directly) as well as a maintenance burden." - kumar303
As a couple others have suggested, adding a resolutions field to your package.json file might be more ideal.
"resolutions": {
"serialize-javascript": "^2.1.1"
}
I had the same issue Reported by GitHub for my React app created by npx create-react-app:
Here is what I did to resolve this security alert for serialize-javascript to do with yarn.lock.
yarn add serialize-javascript
And then git commit and push the changes of package.json and yarn.lock to GitHub. As a result, the alert was gone.
Just put the serialize-javascript in the resolutions inside package.json so you can force it to use the last update. then run yarn upgrade.
Same issue occurred me, tried below ways and worked
1) yarn add serialize-javascript
git add .
git commit -m "Message here"
git push origin master
2) Add resolutions in package.json file
"resolutions": { "serialize-javascript": "^2.1.1" }
and try yarn upgrade
From https://github.com/facebook/react/issues/17559#issuecomment-563457352
There's nothing about React apps that requires the use of this plugin. It's just something being used by react-scripts/Webpack.
One partial solution is to add the yarn.lock file to the .gitignore. That way the alert will not be shown.
Related
I am fairly new to ReactJS and was messing around with Material UI in a build I'm working on. I installed the package and it completely messed up my build and the ability to open the server.
When I do
npm start
I get the following error:
`> react-scripts start
There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix locally.
The react-scripts package provided by Create React App requires a dependency:
"babel-jest": "23.6.0"
Don't try to install it manually: your package manager does it automatically.
However, a different version of babel-jest was detected higher up in the tree:
/Users/peter/node_modules/babel-jest (version: 27.5.1)
Manually installing incompatible versions is known to cause hard-to-debug issues.
If you would prefer to ignore this check, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That will permanently disable this message but you might encounter other issues.
To fix the dependency tree, try following the steps below in the exact order:
Delete package-lock.json (not package.json!) and/or yarn.lock in your project folder.
Delete node_modules in your project folder.
Remove "babel-jest" from dependencies and/or devDependencies in the package.json file in your project folder.
Run npm install or yarn, depending on the package manager you use.
In most cases, this should be enough to fix the problem.
If this has not helped, there are a few other things you can try:
If you used npm, install yarn (http://yarnpkg.com/) and repeat the above steps with it instead.
This may help because npm has known issues with package hoisting which may get resolved in future versions.
Check if /Users/peter/node_modules/babel-jest is outside your project directory.
For example, you might have accidentally installed something in your home folder.
Try running npm ls babel-jest in your project folder.
This will tell you which other package (apart from the expected react-scripts) installed babel-jest.
If nothing else helps, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That would permanently disable this preflight check in case you want to proceed anyway.`
When I follow the directions, nothing changes. I did clean install of npm and I created the .env file that it asked.
Is my build just completely ruined?
The error is because you have a node_modules folder in your home directory (/Users/peter/), (which I assume is unintended, and react-scripts thinks that your home folder contains a Node.js project). To fix the error, you should remove that directory (e.g. rm -rf /Users/peter/node_modules)
TLDR:
how can I instruct storybook to use babel-loader v8.1.0 OR force react-scripts to use babel-loader v^8.2.2 ?
Details
I Develop a lib with ./example folder which is itself project created with create-react-app. I wanted to add storybook in addition to the normal example pages, so I installed storybook.
after installing storybook I can no longer start the example project with yarn start or the story book with yarn storybook.
There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix locally.
The react-scripts package provided by Create React App requires a dependency:
"babel-loader": "8.1.0"
Don't try to install it manually: your package manager does it automatically.
However, a different version of babel-loader was detected higher up in the tree:
D:\Eliav\projects\git projects\react-xarrows\examples\node_modules\babel-loader (version: 8.2.2)
Manually installing incompatible versions is known to cause hard-to-debug issues.
If you would prefer to ignore this check, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That will permanently disable this message but you might encounter other issues.
To fix the dependency tree, try following the steps below in the exact order:
1. Delete package-lock.json (not package.json!) and/or yarn.lock in your project folder.
2. Delete node_modules in your project folder.
3. Remove "babel-loader" from dependencies and/or devDependencies in the package.json file in your project folder.
4. Run npm install or yarn, depending on the package manager you use.
well I know what the issue but I don't know how to fix it:
I'm using react-scripts v4.0.3 which for unknown reason requiring exactly babel-loader v8.1.0. i can see this it in yarn.lock:
react-scripts#^4.0.1:
version "4.0.3"
...
dependencies:
...
babel-loader "8.1.0"
and storybook requiring babel-loader v8.2.2 or above:
"#storybook/builder-webpack4#6.2.9":
version "6.2.9"
...
dependencies:
...
babel-loader "^8.2.2"
already tried
what is written in the error above.
hoped that yarn upgrade would upgrade babel-loader from v8.1.0 to v8.2.2 but it does not work because react-scripts require exactly v8.1.0
a workaround that worked
Create a .env file in your project directory and include SKIP_PREFLIGHT_CHECK=true in the file.
but I want to avoid it. is it possible?
So for anyone to whom this is still unclear.
I used create-react-app to create a new app
I added storybook using npx sb init
then they clashed.
SOLUTION:
yarn add babel-loader#8.1.0
UPDATE:
The error you often see is that CRA (create-react-app) relies on specific dependencies (e.g. for webpack or babel).
What can also be done is you specify which versions those dependencies must resolve to, based on the error messages
This can be done using the resolutions field in package.json, e.g.:
"resolutions": {
"babel-loader": "8.1.0",
"webpack": "4.x.x",
}
After this all will work Fine.
2 Links to consider https://github.com/facebook/create-react-app/issues/10123
and https://github.com/storybookjs/storybook/issues/4764#issuecomment-740785850
Seems that most people are installing the package to get it to work even thou it says not to install in manually.
So try:
yarn add babel-loader#8.1.0
Quite new to react, and can not find an answer to the simplest of tasks. Just trying to clone a repo to my computer and run it. For example https://github.com/arnab-datta/counter-app .
I do npm install and npm start. But when I do npm start I seem to have dependency errors with a "babel-loader". It gives me the below list of steps to solve the problem, I went through them all and still no success. No matter what project I try to repo the error is always this babel-loader. I am new to react and getting very frustrated being unable to do the simplest of things.
There might be a problem with the project dependency tree. It is
likely not a bug in Create React App, but something you need to fix
locally.
The react-scripts package provided by Create React App requires a
dependency:
"babel-loader": "8.0.5"
Don't try to install it manually: your package manager does it
automatically. However, a different version of babel-loader was
detected higher up in the tree:
/Users/xxx/node_modules/babel-loader (version: 8.0.6)
Manually installing incompatible versions is known to cause
hard-to-debug issues.
If you would prefer to ignore this check, add
SKIP_PREFLIGHT_CHECK=true to an .env file in your project. That will
permanently disable this message but you might encounter other issues.
To fix the dependency tree, try following the steps below in the exact
order:
Delete package-lock.json (not package.json!) and/or yarn.lock in your project folder.
Delete node_modules in your project folder.
Remove "babel-loader" from dependencies and/or devDependencies in the package.json file in your project folder.
Run npm install or yarn, depending on the package manager you use.
In most cases, this should be enough to fix the problem. If this has
not helped, there are a few other things you can try:
If you used npm, install yarn (http://yarnpkg.com/) and repeat the above steps with it instead.
This may help because npm has known issues with package hoisting which may get resolved in future versions.
Check if /Users/tylervanzo/node_modules/babel-loader is outside your project directory.
For example, you might have accidentally installed something in your home folder.
Try running npm ls babel-loader in your project folder.
This will tell you which other package (apart from the expected react-scripts) installed babel-loader.
If nothing else helps, add SKIP_PREFLIGHT_CHECK=true to an .env file
in your project. That would permanently disable this preflight check
in case you want to proceed anyway.
All of a sudden I started getting this error when I type
npx create-react-app project
The error is :
Invalid "exports" main target "index.js" defined in the package config /home/swaraj/.npm/_npx/8451/lib/node_modules/create-react-app/node_modules/is-promise/package.json
Can anybody tell me what's this error and how to resolve it
This must mean that your package.json is broken.
I just had the same problem, and it fixed for me when I recreated/edited the package.json it is trying to access.
Type yarn init -y and read the package.json
Add the following lines:
"resolutions": {
"is-promse": "2.1.0",
"run-async/is-promise": "2.1.0"
}
Afterwards do yarn add --dev create-react-app and then try to compile your reactjs application using:
yarn create-react-app <PATH/APP-NAME>
I would also recommend trying to manually remove is-promise property. I think the command for that was called npm remove is-promise, but I am not sure.
But I am pretty sure that your package.json needs a fix :)
Reply if it didn't work, I'll try to find a different way-around then.
If that solution doesn't work try installing node version 12.12.0 and running create-react-app again.
There are issues with the promise dependency being worked on at the moment. Issue
Do not downgrade your node version. Downgrading was a temporary solution, as for now, this issue is fixed with 2.2.2 version of is-promise package. If you still experience problems creating new CRA, consider npm install -g --force create-react-app
If even then bug is still present, please comment your issue to this github issue
I have an issue that I cannot solve.
I'm using ESLint in VSCode for my all projects.
Now I created a new react app but when I run it (npm start or yarn start), it throws an error.
React app use ESLint 5.12.5, is lower version of mine.
I tried following the steps in the suggestion but ... it's not fixed.
Can anyone solve my issue?
I tried npm uninstall -g eslint, npm uninstall eslint, npm i ...bla..bla, removed my ESLint extension in my VSCode, and re-created react app. But the error has not been fixed.
I checked eslint -v, it said 5.14.1, but in the error notice, vscode said version 5.16.0 is in node-modules ##.
This is full error notice when I try yarn start or npm start:
> homework02#0.1.0 start E:\Extenal Code\Hoc JS\ReactJS-iViettech\homework02
> react-scripts start
There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix locally.
The react-scripts package provided by Create React App requires a dependency:
"eslint": "5.12.0"
Don't try to install it manually: your package manager does it automatically.
However, a different version of eslint was detected higher up in the tree:
E:\Extenal Code\Hoc JS\node_modules\eslint (version: 5.16.0)
Manually installing incompatible versions is known to cause hard-to-debug issues.
If you would prefer to ignore this check, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That will permanently disable this message but you might encounter other issues.
To fix the dependency tree, try following the steps below in the exact order:
1. Delete package-lock.json (not package.json!) and/or yarn.lock in your project folder.
2. Delete node_modules in your project folder.
3. Remove "eslint" from dependencies and/or devDependencies in the package.json file in your project folder.
4. Run npm install or yarn, depending on the package manager you use.
In most cases, this should be enough to fix the problem.
If this has not helped, there are a few other things you can try:
5. If you used npm, install yarn (http://yarnpkg.com/) and repeat the above steps with it instead.
This may help because npm has known issues with package hoisting which may get resolved in future versions.
6. Check if E:\Extenal Code\Hoc JS\node_modules\eslint is outside your project directory.
For example, you might have accidentally installed something in your home folder.
7. Try running npm ls eslint in your project folder.
This will tell you which other package (apart from the expected react-scripts) installed eslint.
If nothing else helps, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That would permanently disable this preflight check in case you want to proceed anyway.
I just solved this issue, the error says:
The react-scripts package provided by Create React App requires a dependency:
"eslint": "5.12.0" (in my case "^5.16.0")
but also says you have another version at package.json that's
E:\Extenal Code\Hoc JS\node_modules\eslint (version: 5.16.0) in my case was 6.1.0
so my solution was:
I searched for the dependency called eslint and updated the version similar to Create React App expected "eslint": "^5.12.0" (in my case "eslint": "^5.16.0") at package.json
Then run npm install and now you can run npm start... if you have troubles with slint-plugin-import just update the version as well, additional you can try installing locally instead of global with --save.
I believe this is an ongoing issue with create-react-app and eslint as detailed at:
https://github.com/wesbos/eslint-config-wesbos/issues/17
There are a number of suggestions there, though I'm hoping they will put a more permanent fix in place.
In my case it works like below:
Create New Project or clone form vcs.
Create .eslintrc.json file by yourself. Do not use Ctrl+Shift+P ->Eslint:create eslint configuration.
Try searching for eslint and change the version to the required version in the package.json file of eslint. 5.12.0 in your case.
Just try clearing cache and everything will come into normal usage you can use npx create-react-app project-folder-name, this worked for me.
Use this cmd in your terminal
cmd -> npm cache clean —force
there is different process to make it work just have to follow two installations for the future projects too if you like you can use this too and can work for your projects, cmd line is mentioned below :
cmd 1-> create-react-app my-app --scripts-version #nomoreanalog/react-scripts-eslintless
cmd 2-> npm install --save-dev babel-plugin-styled-components