No, but the number being quoted is the sum of two different security concerns - and it’s attributing the concern to ‘react apps’, when actually react itself is pretty clean in terms of dependencies.