Possible duplicate, but couldn't find any clear answers.
Dependabot cannot update nth-check to a non-vulnerable version The latest possible version that can be installed is 1.0.2 because of the following >conflicting dependency:
react-scripts@5.0.0 requires nth-check@^1.0.2 via a transitive dependency on css-select@2.1.0
just upgraded to react-scripts@5.0.0 from 4.0.0.
As Dan Abramov explains in this issue, it is (very likely) a false alarm and can be safely dismissed.
More specifically, if you are using CRA and nth-check is referenced only from it, it is not an issue, because CRA is a build tool and the vulnerable code will never get into the resulting application bundle and thus will never be called by client code.
You can verify this by moving "react-scripts" into "devDependencies" in package.json and running npm audit --production.