[nirvdrum]

I don't think anyone should be blindly upgrading anything. Doing so brings about its set of problems and in many cases makes things worse. This is particularly true in the case of Create React App where just upgrading dependencies will often break the application.

The last Create React App I worked on (~3 months ago) had over 500 "vulnerabilities" reported by npm/yarn audit. Most of the reported vulnerabilities were obviously junk. As the author noted, there's no need to report vulnerabilities in the same dependency in every path through the dependency graph. The noise made it very difficult to sift through the output for anything useful. Even then, I have my doubts about how applicable the results are because with tree shaking of an SPA, it's quite possible the vulnerable part of a dependency is never even used.