Resolve vulnerabilities in frontend dependencies after React upgrade

[jtimpe]

Background

After the upgrade to react-scripts version 5 in #1577, we observed several vulnerabilities reported by npm audit. Specifically, the audit shows 29 vulnerabilities with 18 moderate and 11 high severity.

The goal of this ticket is to address and resolve the vulnerabilities, ideally by running npm audit fix. We will also document any unresolved vulnerabilities and create follow-up tickets for issues that require further attention.

Acceptance Criteria

• All vulnerabilities are resolved, or documented with an explanation if not fixable.
• Testing Checklist has been run and all tests pass
• README is updated, if necessary

Tasks

• Investigate and attempt to resolve vulnerabilities (timebox to 1 sprint)
• Document unpatched vulnerabilities where possible
• Create followup tickets for issues requiring more work
• Run Testing Checklist and confirm all tests pass

Notes

List of vulnerabilities

# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/jest-environment-enzyme/node_modules/braces
node_modules/sane/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/jest-environment-enzyme/node_modules/micromatch
  node_modules/sane/node_modules/micromatch
    @jest/transform  <=24.9.0
    Depends on vulnerable versions of jest-haste-map
    Depends on vulnerable versions of jest-util
    Depends on vulnerable versions of micromatch
    node_modules/jest-environment-enzyme/node_modules/@jest/transform
      @jest/environment  <=24.9.0
      Depends on vulnerable versions of @jest/fake-timers
      Depends on vulnerable versions of @jest/transform
      node_modules/jest-environment-enzyme/node_modules/@jest/environment
        jest-environment-jsdom  10.0.2 - 25.5.0
        Depends on vulnerable versions of @jest/environment
        Depends on vulnerable versions of @jest/fake-timers
        Depends on vulnerable versions of jest-util
        Depends on vulnerable versions of jsdom
        node_modules/jest-environment-enzyme/node_modules/jest-environment-jsdom
          jest-environment-enzyme  *
          Depends on vulnerable versions of jest-environment-jsdom
          node_modules/jest-environment-enzyme
            jest-enzyme  >=5.0.0
            Depends on vulnerable versions of jest-environment-enzyme
            node_modules/jest-enzyme
    anymatch  1.2.0 - 2.0.0
    Depends on vulnerable versions of micromatch
    node_modules/jest-environment-enzyme/node_modules/anymatch
    node_modules/sane/node_modules/anymatch
      jest-haste-map  18.1.0 - 26.6.2
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of jest-util
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of sane
      node_modules/jest-environment-enzyme/node_modules/jest-haste-map
      sane  1.5.0 - 4.1.0
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of micromatch
      node_modules/sane
    jest-message-util  18.5.0-alpha.7da3df39 - 24.9.0
    Depends on vulnerable versions of micromatch
    node_modules/jest-environment-enzyme/node_modules/jest-message-util
      @jest/fake-timers  <=24.9.0
      Depends on vulnerable versions of jest-message-util
      node_modules/jest-environment-enzyme/node_modules/@jest/fake-timers
        jest-util  24.2.0-alpha.0 - 24.9.0
        Depends on vulnerable versions of @jest/fake-timers
        node_modules/jest-environment-enzyme/node_modules/jest-util

cross-spawn  <6.0.6 || >=7.0.0 <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
node_modules/sane/node_modules/cross-spawn

decode-uri-component  <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component

json5  <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/tsconfig-paths/node_modules/json5

loader-utils  2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix`
node_modules/loader-utils


minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch

nanoid  <3.3.8
Infinite loop in nanoid - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix`
node_modules/nanoid

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of resolve-url-loader
          node_modules/react-scripts

path-to-regexp  <0.1.12
Severity: moderate
Unpatched `path-to-regexp` ReDoS in 0.1.x - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
fix available via `npm audit fix`
node_modules/path-to-regexp
  express  4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
  Depends on vulnerable versions of path-to-regexp
  node_modules/express

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/request
  jsdom  0.1.20 || 0.2.0 - 16.5.3
  Depends on vulnerable versions of request
  Depends on vulnerable versions of tough-cookie
  node_modules/jest-environment-enzyme/node_modules/jsdom
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    Depends on vulnerable versions of tough-cookie
    node_modules/request-promise-native

semver  >=7.0.0 <7.5.2 || <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install pa11y-ci@2.4.2, which is a breaking change
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/@typescript-eslint/typescript-estree/node_modules/semver
node_modules/core-js-compat/node_modules/semver
node_modules/jest-environment-enzyme/node_modules/normalize-package-data/node_modules/semver
node_modules/pa11y/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/sane/node_modules/semver
  core-js-compat  3.6.0 - 3.25.0
  Depends on vulnerable versions of semver
  node_modules/core-js-compat
  pa11y  6.0.0-alpha - 6.2.3
  Depends on vulnerable versions of semver
  node_modules/pa11y
    pa11y-ci  >=3.0.0
    Depends on vulnerable versions of pa11y
    node_modules/pa11y-ci

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/jest-environment-enzyme/node_modules/tough-cookie
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

ws  2.1.0 - 5.2.3
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/jest-environment-enzyme/node_modules/ws

29 vulnerabilities (18 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[lhuxraft]

Most urgent priority following react upgrade

[lhuxraft]

12/30: Running into issues with accessibility tests, can discuss in office hours/when Jan is back

[raftmsohani]

almost all vulnerabilities are due to react-script version, when we upgrade it to version 5, then we will only see 8 vulnerabilities (2 moderate, 6 high) however, after upgrading react-script package, then USWDS has to be upgrade to the latest version (at this time it is "@uswds/uswds": "^3.11.0") which requires some changes to how we import the package as well as this.

Another approach is to force dependency packages with vulnerabilities using "overrides", but it causes build fails, test failure, etc, and only a handful of packages can be upgraded with no visible issue.

see:

1. USWDS upgrade

[ADPennington]

almost all vulnerabilities are due to react-script version, when we upgrade it to version 5, then we will only see 8 vulnerabilities (2 moderate, 6 high) however, after upgrading react-script package, then USWDS has to be upgrade to the latest version (at this time it is "@uswds/uswds": "^3.11.0") which requires some changes to how we import the package as well as this.

Another approach is to force dependency packages with vulnerabilities using "overrides", but it causes build fails, test failure, etc, and only a handful of packages can be upgraded with no visible issue.

see:

1. USWDS upgrade

my results:

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/request
  jsdom  0.1.20 || 0.2.0 - 16.5.3
  Depends on vulnerable versions of request
  Depends on vulnerable versions of request-promise-native
  node_modules/jest-environment-enzyme/node_modules/jsdom
    jest-environment-jsdom  10.0.2 - 25.5.0
    Depends on vulnerable versions of jsdom
    node_modules/jest-environment-enzyme/node_modules/jest-environment-jsdom
      jest-environment-enzyme  *
      Depends on vulnerable versions of jest-environment-jsdom
      node_modules/jest-environment-enzyme
        jest-enzyme  >=5.0.0
        Depends on vulnerable versions of jest-environment-enzyme
        node_modules/jest-enzyme
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    node_modules/request-promise-native

7 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
npm notice
npm notice New major version of npm available! 10.2.4 -> 11.0.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.0.0
npm notice Run npm install -g npm@11.0.0 to update!
npm notice

apennington@HHSLBDSWL73 MINGW64 ~/GitHub/RAFT/TANF-app/tdrs-frontend (3328-vul-audit)
$ npm version
{
  'tdrs-frontend': '0.1.0',
  npm: '10.2.4',
...
}