-
-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Issues with postcss and nth-check in react-scripts Dependencies #13671
Comments
I am using these "overrides": {
"body-parser": "1.20.3",
"nth-check": ">=2.0.2",
"serve-static": "2.1.0",
"postcss": ">=8.4.31"
}, See my full |
Do you have a suggested override to fix GHSA-gcx4-mw62-g8wm? |
For now, this is my overrides list in
I haven't seen any obvious breakages, but please test this before blindly using it in prod. |
Summary: The most recent release of react scripts is pulling an older version of rollup, which has a bunch of vulnerabilities associated with it (see associated task). Since this hasn't been fixed yet ([see this GitHub issue](facebook/create-react-app#13671)), let's just pin it to the first version that fixes this. We cannot add overrides because we are using yarn. Reviewed By: quark-zju Differential Revision: D63459489 fbshipit-source-id: b047610af75b89a38b8f5f4e212061114ba098d3
I am encountering a persistent vulnerability issue with react-scripts related to the nth-check package in our prismacloudscan.
Despite making multiple attempts to update the dependencies manually and exploring various resolutions, the vulnerability warning remains.
Node JS version: we tried all possible node versions like node v16.20.2,v18.90, v19.81. and v20.16.0.
React version : 18.2.0
Methods we tried to fix the issue.
"overrides": {
"react-scripts": {
"postcss":"8.4.31",
"nth-check":"2.0.1"
}
} and
"overrides": {
"postcss":"8.4.31",
"nth-check":"2.0.1"
}
we tried nth-check latest version 2.1.1 in overrides and 8.4.45.
we tried npm audit and got following results :
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via
npm audit fix --force
Will install react-scripts@3.0.1, which is a breaking change
node_modules/svgo/node_modules/css-select/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of resolve-url-loader
node_modules/react-scripts
postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - GHSA-7fh5-64p2-3v2j
fix available via
npm audit fix --force
Will install react-scripts@3.0.1, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via
npm audit fix --force
Will install jest@29.7.0, which is a breaking change
node_modules/request
jsdom 0.1.20 || 0.2.0 - 16.5.3
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-native
Depends on vulnerable versions of tough-cookie
node_modules/zem/node_modules/jsdom
jest-environment-jsdom 10.0.2 - 25.5.0
Depends on vulnerable versions of jsdom
node_modules/zem/node_modules/jest-environment-jsdom
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
now, we tried npm audit fix --force Still issue not resolved, please update react-scripts dependency it was updated 2 years ago
The text was updated successfully, but these errors were encountered: