To be clear, the vulnerability has no actual effect on CRA apps. The description says it’s for a DDOS attack which is completely irrelevant because CRA doesn’t use WDS for production environments. (It doesn’t even have a production web server.)

While I agree that ideally a release should be cut to satisfy people affected by enterprise requirements, we are looking at a case of an overzealous audit checker, not an actual vulnerability that affects your apps.

(Edit: I've cut a release though; see my response in https://github.com/facebook/create-react-app/issues/9033#iss...)

Thank you for your professionalism and humility. I too would like to apologise for not giving the full context and incorrectly suggesting that the vulnerability might actually affect apps created by CRA.

I think that the real concern was not the non-existent security implications (although it's a bad habit to ignore even an overzealous audit checker), but that the release process for CRA seemed to make it very hard to cut new patch releases. Your comment suggests that it wasn't so hard after all, for which I am relieved and grateful, but the policy of expecting people to wait for (and deal with the backwards incompatibility of) major version updates[0] doesn't feel like an industry best practice.

[0] https://github.com/facebook/create-react-app/issues/9033#iss...

I think there are definitely things that could be improved in the release process there. The project is mostly run by volunteer contributors as there are limited things we can focus on, and currently we're very focused on React itself. If someone were to volunteer to streamline the release process and improve it, I'm sure the maintainers would have been appreciative.