Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability with is-svg@^3.0.0 #10762

Closed
Juandkpa opened this issue Mar 29, 2021 · 11 comments
Closed

Security vulnerability with is-svg@^3.0.0 #10762

Juandkpa opened this issue Mar 29, 2021 · 11 comments
Labels
issue: bug report needs triage

Comments

@Juandkpa
Copy link

Describe the bug

Dependabot alerts for a high severity vulnerability:

Dependabot cannot update is-svg to a non-vulnerable version
The latest possible version that can be installed is 3.0.0 because of the following conflicting dependency:

react-scripts@4.0.3 requires is-svg@^3.0.0 via a transitive dependency on postcss-svgo@4.0.2
The earliest fixed version is 4.2.2.

CVE-2021-28092

Suggested dependabot remediation

Upgrade is-svg to version 4.2.2 or later. For example:

"dependencies": {
  "is-svg": ">=4.2.2"
}

or…

"devDependencies": {
  "is-svg": ">=4.2.2"
}
@jiridanek jiridanek mentioned this issue Apr 3, 2021
Merged
@matteofigus matteofigus mentioned this issue Apr 6, 2021
Closed
@AviVahl
Copy link

AviVahl commented Apr 6, 2021

Should be fixed now. New postcss-svgo patch release dropped is-svg.

@jiridanek
Copy link

jiridanek commented Apr 24, 2021
edited
Loading

Should be fixed now. New postcss-svgo patch release dropped is-svg.

Thanks, I just did npm update postcss-svgo --depth=5 --dev

@cmacdonnacha
Copy link

cmacdonnacha commented Apr 26, 2021
edited
Loading

Hey, any idea when this will be addressed or is there a workaround for now?

@nj314
Copy link

nj314 commented Apr 26, 2021

Hey, any idea when this will be addressed or is there a workaround for now?

@cmacdonnacha This was fixed by a bugfix release from postcss-svgo. Bugfix releases can be automatically picked up by your application without a corresponding release from react-scripts. You can either delete and rebuild your package-lock.json to pick it up, or as suggested by @jiridanek, run npm update postcss-svgo --depth=5 --dev.

@cmacdonnacha
Copy link

cmacdonnacha commented Apr 26, 2021
edited
Loading

Excellent thanks @nj314. Will give that a go.

EDIT: This worked: npm update postcss-svgo --depth=5 --dev

@zarsky-broad zarsky-broad mentioned this issue May 12, 2021
Merged
@qdraw qdraw mentioned this issue May 20, 2021
Open
zmc added a commit to zmc/jenkins-product-browser that referenced this issue May 21, 2021
@zmc
npm update postcss-svgo --depth=5 --dev
ffbfdd7 
facebook/create-react-app#10762
@ziaulrehman40
Copy link

not sure why, but this npm update postcss-svgo --depth=5 --dev is not doing anything for me. 🤔

@cmacdonnacha
Copy link

A new vulnerability has been found on postcss too.

Remediation
Upgrade postcss to version 8.2.10 or later. For example:

"dependencies": {
  "postcss": ">=8.2.10"
}
or…
"devDependencies": {
  "postcss": ">=8.2.10"
}

@ziaulrehman40
Copy link

ziaulrehman40 commented May 24, 2021
edited
Loading

react-scripts: 4.0.3 has "resolve-url-loader": "^3.1.2" dependency, which resolves to 3.1.3.
resolve-url-loader: 3.1.3 lists a dependency: "postcss": "7.0.21" which is a fixed version dependency, so I am unable to get rid of postcss security issue even if i add "postcss": ">=8.2.10" in my package.json.

Sounds like react-script needs some updates to fix all these vulnerabilities.

@mdial89f mdial89f mentioned this issue Jun 2, 2021
Merged
12 tasks
@stale
Copy link

stale bot commented Jun 26, 2021

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

@stale stale bot added the stale label Jun 26, 2021
@cmacdonnacha
Copy link

Still an issue.

@stale stale bot removed the stale label Jun 26, 2021
@gaearon
Copy link
Contributor

gaearon commented Jul 7, 2021

There is, and has not been, an actual vulnerability here.
See #11174.

@gaearon gaearon closed this as completed Jul 7, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 7, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jiridanek @gaearon @nj314 @Juandkpa @AviVahl @cmacdonnacha @ziaulrehman40