create-react-app
create-react-app copied to clipboard
facebook
Vulnerability in react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > css-select > nth-check & css-what
Describe the bug
Upgrade react-scripts to have the @@svgr/webpack@6.* as the dependency. As the current @svgr/[email protected] has following vulnerable versions as dependency.
nth-check - https://security.snyk.io/vuln/SNYK-JS-NTHCHECK-1586032 css-what - https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-1298035
Below is the dependency tree:
+-- [email protected] ├─┬ @svgr/[email protected] │ └─┬ @svgr/[email protected] │ └─┬ [email protected] │ └─┬ [email protected] │ └── [email protected] └──[email protected]
Environment
Environment Info: current version of create-react-app: 5.0.0 System: OS: Windows 7 6.1.7601 CPU: (8) x64 Intel(R) Xeon(R) CPU E3-1585L v5 @ 3.00GHz Binaries: Node: 14.17.6 - ...\tools\nodejs14-win7\latest\node.EXE Yarn: Not Found npm: 8.2.0 - ...\data\npm14\npm.CMD Browsers: Chrome: 97.0.4692.71 Internet Explorer: 11.0.9600.20139
Steps to reproduce
npx create-react-app
Expected behavior
The react-scripts should not be having any dependency on vulnerable components.
Actual behavior
The dependent package @svgr/webpack 5.5.0 refers to vulnerable components, as per the author the v6 has the fix for the same.
Hi, I am also facing the same issue. When I upgrading react-scripts to 5.0.0 version. While npm audit I am getting the same Vulnerability Error.
Error: Will install [email protected], which is a breaking change node_modules/svgo/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack node_modules/react-scripts
FYI, Upgrade react-scripts to have the @@svgr/webpack@6. as the dependency. As the current @svgr/[email protected] has following vulnerable versions as dependency.
Thanks & Regards, Praveen Kumar D.
same here...
% npm audit
# npm audit report
nth-check <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts
6 moderate severity vulnerabilities
I'm using react-scripts 5.0.0
% npm list react-scripts
[email protected] /Users/palmito/Development/risk-util-tool/webapp
└── [email protected]
the vulnerable dependency is dependent of [email protected]
% npm list nth-check
create-react-app@ /Users/palmito/Development/create-react-app
├─┬ cra-docs@ -> ./docusaurus/website
│ └─┬ @docusaurus/[email protected]
│ └─┬ @slorber/[email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected] -> ./packages/react-scripts
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
The vulnerable dependency is caused by svg-term-cli project seems to be abandoned for a couple of years (a lot of dependabot pull-requests getting rotten...)
Have you guys read this stickied issue? https://github.com/facebook/create-react-app/issues/11174
moving the dependency to dev makes the vulnerability only dependent of svgr/webpack
% npm list nth-check
[email protected] /Users/palmito/Development/risk-util-tool/webapp
└─┬ [email protected]
├─┬ @svgr/[email protected]
│ └─┬ @svgr/[email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
followed-up here #12146
Hi, any updates on when the package will be updated? Thanks & Regards, Praveen Kumar D.
Read this: #11174 ...then wait, there are more important things than fixing false positives. It will be fixed at the next scheduled update or when a critical bug appears.
Read this: #11174 ...then wait, there are more important things than fixing false positives. It will be fixed at the next scheduled update or when a critical bug appears.
Fair enough
While this issue is not fixed, I did a workaround to solve it.
The problem seems to be starting with the lib @svgr/webpack 4.0.0 - 5.0.0.
If you are using node >= 16, you can install @svgr/webpack by yourself, in my case I installed the version: "^6.2.1" as devDependency.
After that, you should create a overrides (or resolutions if you are using yarn) section in your package.json and include the line: @svgr/webpack": "$@svgr/webpack. (in my case, I already had the react and react-dom).
And last, you must remove your node_modules folder and your package-lock.json, and execute npm install.
This worked for me :)
And last, you must remove your
node_modulesfolder and yourpackage-lock.json, and executenpm install.
thanks, bro
And last, you must remove your
node_modulesfolder and yourpackage-lock.json, and executenpm install.
i was getting mad, thanks bro! it worked perfect.
if there's a newbie like me there, you can install the dependency with this line:
npm install @svgr/webpack --save-dev
While this issue is not fixed, I did a workaround to solve it.
The problem seems to be starting with the lib
@svgr/webpack 4.0.0 - 5.0.0.
If you are using node >= 16, you can install
@svgr/webpackby yourself, in my case I installed the version: "^6.2.1" as devDependency.
After that, you should create a
overrides(orresolutionsif you are usingyarn) section in yourpackage.jsonand include the line:@svgr/webpack": "$@svgr/webpack. (in my case, I already had the react and react-dom).
And last, you must remove your
node_modulesfolder and yourpackage-lock.json, and executenpm install.This worked for me :)
In my case, my overrides in package.json should be
"overrides": { "@svgr/webpack": "^6.2.1" },
In my case, my overrides in package.json should be
"overrides": { "@svgr/webpack": "^6.2.1" },
"To make this limitation easier to deal with, overrides may also be defined as a reference to a spec for a direct dependency by prefixing the name of the package you wish the version to match with a $"
https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
And last, you must remove your
node_modulesfolder and yourpackage-lock.json, and executenpm install.i was getting mad, thanks bro! it worked perfect.
if there's a newbie like me there, you can install the dependency with this line:
npm install @svgr/webpack --save-dev
npm install --save-dev webpack@
If you move react-scripts in "devDependencies", npm audit --production do not display any vulnerabilities.
The best explanation of why everything is in "dependencies" is here. https://stackoverflow.com/questions/44868453/create-react-app-install-devdepencies-in-dependencies-section/44872787#44872787
But in fact, it matters when running npm audit --production because devDependencies are ignored.
https://github.com/facebook/create-react-app/issues/11647#issuecomment-1243863292
