Hi. I’m working in the assignment Random Quote Machine. I’m goin to work with React. I have in my machine Node, but don’t know how to manage to compile the jsx files in order to see the progress in the browser. The same goes to codepen. There is a link to npm to search for packages to install, but I don’t know which one is what I’m looking for.
I would appreciate very much any help.
Thanks in advance.
Regards 
Hi @Amapola-Negra !
If you want to build react in your local machine then you can use Create React App.
For codepen, you will need to adjust the JS settings to use babel, react and react-dom
Many thanks for your reply Jessica. I installed the pack, but it presents vulnerabilities. What can I do to solve them? Thanks in advance.
Regards
Hi again Jessica. I’m searching the web and this pack has a lot of vulnerabilities. I’m not happy using it. Isn’t there another way to create a REACT project? Thanks in advance.
Regards
Yeah, vulnerabilities can be drag.
If npm audit fix isn’t doing anything you could try to manually fix the vulnerabilities.
You could look into alternate fixes from stackoverflow answers like this one.
Or could set up a react project without CRA.
Here is a guide on how to do that.
Thanks again Jessica. I’m getting more and more worried every minute. I have read these links they have sent to me by the react community:
https://github.com/facebook/create-react-app/issues/11174
https://overreacted.io/npm-audit-broken-by-design/
I’m working to be a developer and according to the last link “development dependencies are an attack vector”. So I wonder isn’t there is a way to work and develop software in a more secure way? Thanks in advance.
Regards
Breathe.
Everything is going to be fine 
I promise
You can drive yourself insane worrying about all of the possible security threats on the web.
There is plenty of time to learn about security and write software to protect from threats.
But I think you are getting a little ahead of yourself.
Let’s just focus on building these projects in the front end certification.
You can slowly start to learn about how to best secure your applications through articles and videos like this one.
I am sure edx or coursera might have some good courses on security you can look into.
For right now, I would just focus on building the front end projects.
Then you can slowly learn about security
TL;DR what @jwilkins.oboe said, don’t lose sleep over the npm warnings. You will never learn a framework if you stop every time npm reports a “vulnerability”.
Knowing if a vulnerability is actually exploitable in a way that is dangerous to you or your users requires a lot of knowledge. Just because npm doesn’t report a vulnerability doesn’t mean there isn’t one, nor does it reporting one mean you have anything to worry about. If you read the overreacted blog post you should know it’s a lot more complicated than just some tool reporting a “vulnerability”.
In most cases, you have nothing to worry about. The long list of vulnerabilities you get on every package over its history of existence is mostly low to medium vulnerabilities that have little to no effect on your app. Some are impossible for you to fix because of interdependencies, i.e. a package is vulnerable because it is using another vulnerable package and you might not be able to update the “nested” dependencies without breaking the main package.
Most people that do not run some major site or app pretty much ignore the warnings and just let a GitHub dependencies bot handle it without even checking the vulnerabilities. Which means they won’t know if they (or their users) were in any real danger. But as said, most reported vulnerabilities are close to irrelevant.
There are a lot of developers’ eyes on the malicious code so it isn’t that easy to get away with. But considering how the npm ecosystem works it’s a bit of a miracle that it hasn’t been worse (that we know of anyway). There have been a few scary vulnerabilities but they usually get caught pretty fast and are given more attention than just some npm warning.
In the end, you may never know. High-value targets usually do not even report breaches if they can avoid it, as it’s bad for business.
https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html
Many thanks to you both. I know I’m just on the surface in my learning process. I just want to avoid bad practice from the start. I think that if you get used to it just because you are learning and you don’t have a client to work with then, when you have a client in the future, it will be very difficult to adopt good habits, just because you never did it. I know it may sound ridiculous for a professional like you, but for me I try to do the best I can. I try to see every project, no matter how big it is, as a real project, because this is what I think I will have to do in the future. Thanks again.
Regards
This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.
