Dependencies pulled down don't match repo

[reinrl]

It looks like v3.4.1 of react-scripts was last published to NPM four months ago - and so the dependency versions that I get don't match what is currently listed in the latest version of its package.json (e.g., webpack-dev-server 3.10.3 vs. 3.11.0 as an example, which came from this commit, even though package.json in the repo continues to shows 3.4.1 through several pushes). Does a new version need to be published out to npm? I need to take the dependency versions currently listed to get around a noted security vulnerability with webpack-dev-server 3.10.3 (really, with it's dependency on an older version of jquery).

[reinrl]

@gaearon or anyone else - any thoughts?

[gaearon]

I published 3.4.2 earlier today. It won't be in master because that already switched to 4.x

[reinrl]

That's exactly what I needed, thank you!

[ranisalt]

That is still an issue to me. On a clean container, after running yarn install in a package which requires [email protected] which pulls [email protected] I get this:

There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix locally.

The react-scripts package provided by Create React App requires a dependency:

  "webpack-dev-server": "3.10.3"

Don't try to install it manually: your package manager does it automatically.
However, a different version of webpack-dev-server was detected higher up in the tree:

  /home/rsa/Documents/margot/node_modules/webpack-dev-server (version: 3.11.0)

[gaearon]

@ranisalt You probably have older react-scripts somewhere in the tree. Try deleting your lockfile and recreating it.

[adrienlo]

I've deleted my lockfile and node_modules but I get this issue as well. I've installed a dependency that uses babel-jest.

I used the latest CRA and my react-scripts is 3.4.3.

The react-scripts package provided by Create React App requires a dependency:

  "babel-jest": "^24.9.0"

Don't try to install it manually: your package manager does it automatically.
However, a different version of babel-jest was detected higher up in the tree:

  /cra/node_modules/babel-jest (version: 25.5.1)

$ npm ls babel-jest
├─┬ @foo/[email protected]
│ └─┬ [email protected]
│   └─┬ @jest/[email protected]
│     └─┬ [email protected]
│       └── [email protected]
└─┬ [email protected]
  ├── [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

Edit
Extra notes: @foo/utils is a custom package that we deploy to npm. babel-jest is a devDependencies.

[gaearon]

@adrienlo Your question is unrelated to the very specific issue being discussed. I assume people end up here because of the search but it was a very specific question. Feel free to raise a new issue if you think there's a bug.