Hi. I’m working in the assignment Random Quote Machine. I’m goin to work with React. I have in my machine Node, but don’t know how to manage to compile the jsx files in order to see the progress in the browser. The same goes to codepen. There is a link to npm to search for packages to install, but I don’t know which one is what I’m looking for.
I would appreciate very much any help.
Thanks in advance.
Hi again Jessica. I’m searching the web and this pack has a lot of vulnerabilities. I’m not happy using it. Isn’t there another way to create a REACT project? Thanks in advance.
If npm audit fix isn’t doing anything you could try to manually fix the vulnerabilities.
You could look into alternate fixes from stackoverflow answers like this one.
Or could set up a react project without CRA.
Here is a guide on how to do that.
I’m working to be a developer and according to the last link “development dependencies are an attack vector”. So I wonder isn’t there is a way to work and develop software in a more secure way? Thanks in advance.
TL;DR what @jwilkins.oboe said, don’t lose sleep over the npm warnings. You will never learn a framework if you stop every time npm reports a “vulnerability”.
Knowing if a vulnerability is actually exploitable in a way that is dangerous to you or your users requires a lot of knowledge. Just because npm doesn’t report a vulnerability doesn’t mean there isn’t one, nor does it reporting one mean you have anything to worry about. If you read the overreacted blog post you should know it’s a lot more complicated than just some tool reporting a “vulnerability”.
In most cases, you have nothing to worry about. The long list of vulnerabilities you get on every package over its history of existence is mostly low to medium vulnerabilities that have little to no effect on your app. Some are impossible for you to fix because of interdependencies, i.e. a package is vulnerable because it is using another vulnerable package and you might not be able to update the “nested” dependencies without breaking the main package.
Most people that do not run some major site or app pretty much ignore the warnings and just let a GitHub dependencies bot handle it without even checking the vulnerabilities. Which means they won’t know if they (or their users) were in any real danger. But as said, most reported vulnerabilities are close to irrelevant.
There are a lot of developers’ eyes on the malicious code so it isn’t that easy to get away with. But considering how the npm ecosystem works it’s a bit of a miracle that it hasn’t been worse (that we know of anyway). There have been a few scary vulnerabilities but they usually get caught pretty fast and are given more attention than just some npm warning.
In the end, you may never know. High-value targets usually do not even report breaches if they can avoid it, as it’s bad for business.
Many thanks to you both. I know I’m just on the surface in my learning process. I just want to avoid bad practice from the start. I think that if you get used to it just because you are learning and you don’t have a client to work with then, when you have a client in the future, it will be very difficult to adopt good habits, just because you never did it. I know it may sound ridiculous for a professional like you, but for me I try to do the best I can. I try to see every project, no matter how big it is, as a real project, because this is what I think I will have to do in the future. Thanks again.