Problem with dependencies

In the package.json not all required dependencies are actually defined as non dev dependencies f.e.: axios is used to communicate with the PHP backend (btw very nice that the info file is not public 😉 ).
I am not a react developer myself but since the dependencies are defined in this way I would assume you are running the react application in the development mode on your website or at the very least also has actual development dependencies on your production environment installed. Both open your server to several security issues.