react-select icon indicating copy to clipboard operation
react-select copied to clipboard
verified publisher icon JedWatson

Security Audit Failed Due to Moderate Vulnerability in @babel/runtime

Open vanGalilea opened this issue 11 months ago • 3 comments

We have encountered a security issue related to a vulnerable dependency in react-select. Our security audit failed due to the following moderate vulnerabilities:

Found Vulnerable Advisory Paths:

GHSA-968p-4wvh-cqc8 | react-select > @babel/runtime GHSA-968p-4wvh-cqc8 | react-select > @emotion/react > @babel/runtime GHSA-968p-4wvh-cqc8 | react-select > @emotion/react > @emotion/babel-plugin > @babel/runtime GHSA-968p-4wvh-cqc8 | react-select > @emotion/react > @emotion/babel-plugin > babel-plugin-macros > @babel/runtime GHSA-968p-4wvh-cqc8 | react-select > react-transition-group > @babel/runtime GHSA-968p-4wvh-cqc8 | react-select > react-transition-group > dom-helpers > @babel/runtime

Security Advisory:

GHSA-968p-4wvh-cqc8

Steps to Reproduce:

Run yarn audit or npm audit in a project using react-select. Observe that the security audit fails due to the above vulnerabilities.

Expected Behavior:

Security audit should pass without any vulnerabilities.

Actual Behavior:

Security audit fails with moderate severity vulnerabilities related to @babel/runtime.

Suggested Fix:

Upgrade dependencies in react-select that rely on outdated versions of @babel/runtime. If a fix is available in upstream dependencies, updating the relevant packages may resolve the issue.

Please advise on whether there is an existing fix or if a dependency update is planned in an upcoming release.

Thanks!

vanGalilea avatar Mar 12 '25 14:03 vanGalilea

You should be able to fix this yourself by deleting your package lock file and node_modules and re-rerunning package installation. This works because the dependency on @babel/runtime is ^7.12.0, so it should choose the most recent version on a fresh install. Feel free to create a PR to bump the dependency here as well.

Methuselah96 avatar Mar 12 '25 14:03 Methuselah96

That worked well for me I'll raise an MR 👍🏻

vanGalilea avatar Jul 24 '25 07:07 vanGalilea

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ moderate │ Babel has inefficient RegExp complexity in generated code │ │ │ with .replace when transpiling named capturing groups │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ @babel/runtime │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=7.26.10 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ react-select │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ react-select > @babel/runtime │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1104000 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ moderate │ Babel has inefficient RegExp complexity in generated code │ │ │ with .replace when transpiling named capturing groups │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ @babel/runtime │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=7.26.10 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ react-select │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ react-select > @emotion/react > @babel/runtime │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1104000 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ moderate │ Babel has inefficient RegExp complexity in generated code │ │ │ with .replace when transpiling named capturing groups │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ @babel/runtime │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=7.26.10 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ react-select │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ react-select > @emotion/react > @emotion/babel-plugin > │ │ │ @babel/runtime │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1104000 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ moderate │ Babel has inefficient RegExp complexity in generated code │ │ │ with .replace when transpiling named capturing groups │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ @babel/runtime │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=7.26.10 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ react-select │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ react-select > @emotion/react > @emotion/babel-plugin > │ │ │ babel-plugin-macros > @babel/runtime │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1104000 │ └───────────────┴──────────────────────────────────────────────────────────────┘ 4 vulnerabilities found

scalarerp avatar Aug 12 '25 11:08 scalarerp