Vulnerability Issues with postcss and nth-check in react-scripts Dependencies

[PrathapKaraka]

I am encountering a persistent vulnerability issue with react-scripts related to the nth-check package in our prismacloudscan.

Despite making multiple attempts to update the dependencies manually and exploring various resolutions, the vulnerability warning remains.

Node JS version: we tried all possible node versions like node v16.20.2,v18.90, v19.81. and v20.16.0.
React version : 18.2.0

Methods we tried to fix the issue.

1. we are using latest react-scripts verison : 5.0.1,
2. we manually installed latest version of postcss and nth-check
3. we tried to override both dependencies in package.json
   "overrides": {
   "react-scripts": {
   "postcss":"8.4.31",
   "nth-check":"2.0.1"
   }
   } and

"overrides": {
"postcss":"8.4.31",
"nth-check":"2.0.1"
}

we tried nth-check latest version 2.1.1 in overrides and 8.4.45.

we tried npm audit and got following results :

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@3.0.1, which is a breaking change
node_modules/svgo/node_modules/css-select/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of resolve-url-loader
node_modules/react-scripts

postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - GHSA-7fh5-64p2-3v2j
fix available via npm audit fix --force
Will install react-scripts@3.0.1, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader

request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix --force
Will install jest@29.7.0, which is a breaking change
node_modules/request
jsdom 0.1.20 || 0.2.0 - 16.5.3
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-native
Depends on vulnerable versions of tough-cookie
node_modules/zem/node_modules/jsdom
jest-environment-jsdom 10.0.2 - 25.5.0
Depends on vulnerable versions of jsdom
node_modules/zem/node_modules/jest-environment-jsdom
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native

now, we tried npm audit fix --force Still issue not resolved, please update react-scripts dependency it was updated 2 years ago

[Sean-Bradley]

I am using these overrides and have 0 vulnerablities (sep 11 2024)

"overrides": {
    "body-parser": "1.20.3",
    "nth-check": ">=2.0.2",
    "serve-static": "2.1.0",
    "postcss": ">=8.4.31"
  },

See my full package.json at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson

[qwertychouskie]

I am using these overrides and have 0 vulnerablities (sep 11 2024)

"overrides": {
    "body-parser": "1.20.3",
    "nth-check": ">=2.0.2",
    "serve-static": "2.1.0",
    "postcss": ">=8.4.31"
  },

See my full package.json at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson

Do you have a suggested override to fix GHSA-gcx4-mw62-g8wm?

[qwertychouskie]

For now, this is my overrides list in packages.json:

  "overrides": {
    "svgo": {
      "nth-check": ">=2.0.2"
    },
    "react-scripts": {
      "postcss": ">=8.4.31",
      "workbox-webpack-plugin": ">=7.1.0"
    },
    "workbox-build": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-babel": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-replace": {
      "rollup": ">=3.29.5"
    }
  },

I haven't seen any obvious breakages, but please test this before blindly using it in prod.

[HiickFG]

#13778

I have done this PR recently which could solve the problem. In my app where I tested this, I'm using a direct link to an extracted repository of react-scripts containing these changes to override it in package.json, and it shows zero vulnerabilities now.

In my case was only due to react-scripts having old dependencies, which ultimately would trigger the audit warnings for both postcss and nth-check "sub-packages".

[shyamranpara1099]

Sean-Bradley
thank you that is fixed with
"overrides": {
"body-parser": "1.20.3",
"nth-check": ">=2.0.2",
"serve-static": "2.1.0",
"postcss": ">=8.4.31"
},

[disiraThihan]

I am using these overrides and have 0 vulnerablities (sep 11 2024)

"overrides": {
"body-parser": "1.20.3",
"nth-check": ">=2.0.2",
"serve-static": "2.1.0",
"postcss": ">=8.4.31"
},
See my full package.json at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson

Thank you ! this fixed my issue ..

[rkristelijn]

can you please patch thanks mui/toolpad#4878 (comment)