One of the create-react-app maintainers has announced that they cannot fix this as the vulnerabilities affect transitive dependencies, and that it should not matter.
The reasoning is that the npm audit
feature was built with Node apps in mind, not build tools. Vulnerabilities in the dependencies should (in most cases) not translate to vulnerabilities in the static web app produced by create-react-app.
A possible workaround is to move react-scripts
to the devDependencies
section in your package.json
and use npm audit --production
to audit your dependencies.
Source: https://github.com/facebook/create-react-app/issues/11174