babel-preset-react-app is importing an undeclared dependency

[historycoder]

Describe the bug

Using npx create-react-app has an undeclared dependency and 6 high severity vulnerabilities.

`Watch Usage: Press w to show more.One of your dependencies, babel-preset-react-app, is importing the
"@babel/plugin-proposal-private-property-in-object" package without
declaring it in its dependencies. This is currently working because
"@babel/plugin-proposal-private-property-in-object" is already in your
node_modules folder for unrelated reasons, but it may break at any time.

babel-preset-react-app is part of the create-react-app project,
which
is not maintianed anymore. It is thus unlikely that this bug will
ever be fixed. Add "@babel/plugin-proposal-private-property-in-object" to
your devDependencies to work around this error. This will make this message
go away.`

npm audit report

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts

6 high severity vulnerabilities

Did you try recovering your dependencies?

Yes
Result: It did clear the undeclared dependency warning, but then showed '6 high severity vulnerabilities' which can't be fixed using 'npm audit fix'

npm audit report

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts

6 high severity vulnerabilities

Which terms did you search for in User Guide?

(Write your answer here if relevant.)

Environment

Environment Info:

current version of create-react-app: 5.0.1
running from C:\Users\sorts\AppData\Local\npm-cache_npx\c67e74de0542c87c\node_modules\create-react-app

System:
OS: Windows 10 10.0.22621
CPU: (12) x64 Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz
Binaries:
Node: 18.16.1 - C:\Program Files\nodejs\node.EXE
Yarn: Not Found
npm: 9.8.1 - C:\Program Files\nodejs\npm.CMD
Browsers:
Chrome: Not Found
Edge: Spartan (44.22621.2070.0), Chromium (115.0.1901.200)
Internet Explorer: 11.0.22621.1
npmPackages:
react: ^18.2.0 => 18.2.0
react-dom: ^18.2.0 => 18.2.0
react-scripts: 5.0.1 => 5.0.1
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

1. terminal command: npx create-react-app
2. terminal command: npm run test
3. Watch Usage Result:
4. `Watch Usage: Press w to show more.One of your dependencies, babel-preset-react-app, is importing the
   "@babel/plugin-proposal-private-property-in-object" package without
   declaring it in its dependencies. This is currently working because
   "@babel/plugin-proposal-private-property-in-object" is already in your
   node_modules folder for unrelated reasons, but it may break at any time.

babel-preset-react-app is part of the create-react-app project,
which
is not maintianed anymore. It is thus unlikely that this bug will
ever be fixed. Add "@babel/plugin-proposal-private-property-in-object" to
your devDependencies to work around this error. This will make this message
go away.`

Expected behavior

Using the command create-react-app install a project that has all dependencies declared and does not have high-severity vulnerabilities.

Actual behavior

`Watch Usage: Press w to show more.One of your dependencies, babel-preset-react-app, is importing the
"@babel/plugin-proposal-private-property-in-object" package without
declaring it in its dependencies. This is currently working because
"@babel/plugin-proposal-private-property-in-object" is already in your
node_modules folder for unrelated reasons, but it may break at any time.

babel-preset-react-app is part of the create-react-app project,
which
is not maintianed anymore. It is thus unlikely that this bug will
ever be fixed. Add "@babel/plugin-proposal-private-property-in-object" to
your devDependencies to work around this error. This will make this message
go away.`

npm audit report

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts

6 high severity vulnerabilities

Reproducible demo

(Paste the link to an example project and exact instructions to reproduce the issue.)

[mhardik003]

It also has a minor typo in the sentence

"babel-preset-react-app is part of the create-react-app project, which is not maintianed anymore."

Please fix this as well

[jasonaowen]

This was fixed in #12364 , but there hasn't been a release since it was merged.

[alokmenghrajani]

It also has a minor typo in the sentence

"babel-preset-react-app is part of the create-react-app project, which is not maintianed anymore."

Please fix this as well

PR to fix the typo: babel/babel-plugin-proposal-private-property-in-object#6

[aarowman]

I think create-react-app is no longer maintained , so this will likely not be fixed. :(

The workaround is to install the repo explicitly in devDependencies:
npm install --save-dev @babel/plugin-proposal-private-property-in-object

[checonunez74]

@aarowman's solution worked for me, thanks man!

npm install --save-dev @babel/plugin-proposal-private-property-in-object

[stevemao]

@aarowman where do you see create-react-app is no longer maintained? I don't see any deprecation notice in this repo

[Dharmesh-IT]

@aarowman still getting the same msg, I don't see any deprecation notice in this repo. which new repo need to use

[Dreamsorcerer]

@aarowman where do you see create-react-app is no longer maintained? I don't see any deprecation notice in this repo

Look at the error message shown in the report:

babel-preset-react-app is part of the create-react-app project, which
is not maintianed anymore. It is thus unlikely that this bug will
ever be fixed. Add "@babel/plugin-proposal-private-property-in-object" to
your devDependencies to work around this error. This will make this message
go away.

[huabin]

@aarowman Works for me, thx man.