Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability Issues with postcss and nth-check in react-scripts Dependencies #13671

Open
PrathapKaraka opened this issue Sep 9, 2024 · 3 comments

Comments

@PrathapKaraka
Copy link

I am encountering a persistent vulnerability issue with react-scripts related to the nth-check package in our prismacloudscan.

Despite making multiple attempts to update the dependencies manually and exploring various resolutions, the vulnerability warning remains.

Node JS version: we tried all possible node versions like node v16.20.2,v18.90, v19.81. and v20.16.0.
React version : 18.2.0

Methods we tried to fix the issue.

  1. we are using latest react-scripts verison : 5.0.1,
  2. we manually installed latest version of postcss and nth-check
  3. we tried to override both dependencies in package.json
    "overrides": {
    "react-scripts": {
    "postcss":"8.4.31",
    "nth-check":"2.0.1"
    }
    } and

"overrides": {
"postcss":"8.4.31",
"nth-check":"2.0.1"
}

we tried nth-check latest version 2.1.1 in overrides and 8.4.45.

we tried npm audit and got following results :

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@3.0.1, which is a breaking change
node_modules/svgo/node_modules/css-select/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of resolve-url-loader
node_modules/react-scripts

postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - GHSA-7fh5-64p2-3v2j
fix available via npm audit fix --force
Will install react-scripts@3.0.1, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader

request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix --force
Will install jest@29.7.0, which is a breaking change
node_modules/request
jsdom 0.1.20 || 0.2.0 - 16.5.3
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-native
Depends on vulnerable versions of tough-cookie
node_modules/zem/node_modules/jsdom
jest-environment-jsdom 10.0.2 - 25.5.0
Depends on vulnerable versions of jsdom
node_modules/zem/node_modules/jest-environment-jsdom
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native

now, we tried npm audit fix --force Still issue not resolved, please update react-scripts dependency it was updated 2 years ago

@Sean-Bradley
Copy link

Sean-Bradley commented Sep 11, 2024

I am using these overrides and have 0 vulnerablities (sep 11 2024)

"overrides": {
    "body-parser": "1.20.3",
    "nth-check": ">=2.0.2",
    "serve-static": "2.1.0",
    "postcss": ">=8.4.31"
  },

See my full package.json at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson

@qwertychouskie
Copy link

I am using these overrides and have 0 vulnerablities (sep 11 2024)

"overrides": {
    "body-parser": "1.20.3",
    "nth-check": ">=2.0.2",
    "serve-static": "2.1.0",
    "postcss": ">=8.4.31"
  },

See my full package.json at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson

Do you have a suggested override to fix GHSA-gcx4-mw62-g8wm?

@qwertychouskie
Copy link

For now, this is my overrides list in packages.json:

  "overrides": {
    "svgo": {
      "nth-check": ">=2.0.2"
    },
    "react-scripts": {
      "postcss": ">=8.4.31",
      "workbox-webpack-plugin": ">=7.1.0"
    },
    "workbox-build": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-babel": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-replace": {
      "rollup": ">=3.29.5"
    }
  },

I haven't seen any obvious breakages, but please test this before blindly using it in prod.

facebook-github-bot pushed a commit to facebook/sapling that referenced this issue Sep 27, 2024
Summary:
The most recent release of react scripts is pulling an older version of rollup, which has a bunch of vulnerabilities associated with it (see associated task).

Since this hasn't been fixed yet ([see this GitHub issue](facebook/create-react-app#13671)), let's just pin it to the first version that fixes this. We cannot add overrides because we are using yarn.

Reviewed By: quark-zju

Differential Revision: D63459489

fbshipit-source-id: b047610af75b89a38b8f5f4e212061114ba098d3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants