Child library nth-check is vulnerable to CVE-2021-3803 even with the latest react-scripts@5.0.1

[SunitaIBM]

There is a dependent library nth-check in react-scripts which is vulnerable to CVE-2021-3803. The mend scan is reporting this vulnerability for our project.

-- react-scripts@5.0.1
+-- @svgr/webpack@5.5.0
| -- @svgr/plugin-svgo@5.5.0 | -- svgo@1.3.2
| -- css-select@2.1.0 | -- nth-check@1.0.2

nth-check beyond v2.0.1(including) is available and safe from this vulnerability.

To fix this we have upgraded to the latest version for react-scripts (as shown above) still this dependency is not upgraded. Can you please take some action and upgrade this transitive dependency inside the parent library react-scripts at the earliest possible.

[SunitaIBM]

Vulnerable react-scripts 5.0.1 makes our product vulnerable. Please upgrade the react-scripts 5.0.1 at the earliest possible with transitive dependencies security patches. It should have the updated transitive dependency for nth-check by upgrading nth-check/1.0.2 to latest available version nth-check/2.1.1.

[mchakshu19]

We are having the same issue in our project. Please upgrade this child dependency ASAP.

[hemantkd]

A few of our applications are blocked because of this as well. 😢

[VikingProgrammerMW]

This is also causing me and my team huge problems.

[SunitaIBM]

Do we have some update on this.

[lebbe]

An "Inefficient Regular Expression Complexity" vulnerability is not of any concern in a build tool. Feel safe to waive this security issue. Also look at this pinned post.

[evankanderson]

This seems to be a dup of #12146, and would be resolved by #11174, #12026, or #12026

It appears that migrating from v5 to v6 of @svgr/webpack requires following a migration guide, so the work may be non-trivial.

[mark-wiemer]

#11174 is the correct answer, just move react-scripts out of dependencies and into devDependencies and run npm audit --omit=dev