Running "npx create-react-app my-app" fails caused by found vulnerability

[omniproc]

Is this a bug report?

Yes

Did you try recovering your dependencies?

npm 6.0.1

Which terms did you search for in User Guide?

None, see issue description.

Environment

npx: installed 67 in 13.51s

Environment:
OS: Windows 10
Node: 8.11.2
Yarn: Not Found
npm: 6.0.1
Watchman: Not Found
Xcode: N/A
Android Studio: Version 3.0.0.0 AI-171.4443003

ERROR: package.json not found!

Steps to Reproduce

1. Open a new cmd.exe / powershell.exe prompt as user or as local administrator.
2. Run npx create-react-app my-app

Expected Behavior

A basic react environment should be created.

Actual Behavior

npm install fails. Full output:

PS > npx create-react-app my-app
npx: installed 67 in 9.444s

Creating a new React app in C:\pathto\my-app.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...

The system cannot find the path specified.

> uglifyjs-webpack-plugin@0.4.6 postinstall C:\pathto\my-app\node_modules\uglifyjs-webpack-plug
in
> node lib/post_install.js

+ react-dom@16.3.2
+ react@16.3.2
+ react-scripts@1.1.4
added 1321 packages from 811 contributors in 224.148s
[!] 1 vulnerability found [14378 packages audited]
    Severity: 1 Critical
    Run `npm audit` for more detail


Aborting installation.
  npm install --save --save-exact --loglevel error react react-dom react-scripts has failed.

Deleting generated file... node_modules
Deleting generated file... package.json
Done.

Reproducible Demo

Really just any Windows PC with the env. spec. I posted. Node + all NPM / Node folders on the system have been deleted and node re-installed (tested both: node v8.11.2 LTS and node 10 latest (v10.1.0)). Node cache was verified and force cleaned multiple times as well. I still get the same error.

[iansu]

I believe this is the same vulnerability: #4479. However, Create React App isn't directly affected by that vulnerability.

If npx is automatically running npm audit and failing if any vulnerabilities are found then that's going to be a problem for us with npm >= 6.

In the meantime, you can use yarn instead of npm by running yarn create react-app my-app.

[omniproc]

In another environment I have I was able to run the command npx create-react-app my-app without any issues. The environment was:

Environment:
  OS:  Windows 10
  Node:  10.0.0
  Yarn:  Not Found
  npm:  5.6.0
  Watchman:  Not Found
  Xcode:  N/A
  Android Studio:  Version  3.0.0.0 AI-171.4443003

I then updated npm to 6.1.0 in that environment. Details:

Environment:
  OS:  Windows 10
  Node:  10.1.0
  Yarn:  Not Found
  npm:  6.1.0-next.0
  Watchman:  Not Found
  Xcode:  N/A
  Android Studio:  Not Found

And now, on this machine, I was NOT getting the error altought using npm 6.x. The output was:

npx: installed 1 in 1.872s
command not found: prefix
npx: installed 67 in 7.108s

Creating a new React app in C:\pathto\my-app.

Installing packages. This might take a couple of minutes.
(node:11624) ExperimentalWarning: The fs.promises API is experimental
Installing react, react-dom, and react-scripts...


> uglifyjs-webpack-plugin@0.4.6 postinstall C:\pathto\my-app\node_modules\uglifyjs-webpack-plugin
> node lib/post_install.js

+ react-dom@16.3.2
+ react@16.3.2
+ react-scripts@1.1.4
added 1321 packages from 811 contributors and audited 14378 packages in 146.71s
found 1 critical severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Success! Created my-app at C:\pathto\my-app
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd my-app
  npm start

Happy hacking!

So after checking on multiple systems this issue seems to be related to some system configuration. I just have not found out which one yet.

If you check closely the first output I posted has a line saying "The system cannot find the path specified." in it. I seem to be getting that error whenever I call npm on the affected systems but so far I was unable to find out what's causing this strange behaviour. Could be completely unrelated thought.

I'd be greatful for any ideas where to get more logging information from so I can find out what's actually happening there.

[iansu]

The npm audit command was added in npm 6, which is why you’re not seeing the error on the other system with npm 5.6.

[omniproc]

@iansu - as I wrote I updated to 6.1.0 on that system and do not get the error anymore. It's not dependent on the npm version. Or atleast not solely.

[iansu]

I missed that detail. I’m not at my computer and must not have read your reply carefully enough. I’m not sure what would be causing that. We’ll have to look into it more.

[omniproc]

Not a problem. I'll let you know when I find out some more details.

[pkrawc]

The problem is in with a vulnerability in create-react-app's macaddress dependency. It's got command injection capabilities and could leave apps critically compromised.

[gaearon]

That’s not the case for how it’s used by cssnano (which is why you get it in CRA). So CRA apps are definitely not affected by this.

Additionally it’s a build dependency. Even if CRA dev environment was affected by this (which is not the case), “could leave apps compromised” is extremely misleading because this dependency isn’t used at runtime. CRA just gives you a static bundle, there’s no way a build dependency vulnerability could compromise your deployed apps.

[gaearon]

For more details see my reply in #4479 (comment)

[bugzpodder]

This looks resolved, postcss-filter-plugins removed uniqid dependency in their latest update and subsequently the audit check passes.

[gaearon]

@bugzpodder thanks for the followup!