bridge-in-tech-web icon indicating copy to clipboard operation
bridge-in-tech-web copied to clipboard

Published 20 hours ago verified publisher icon anitab-org

Dev: Update react-scripts dependency to remove high severity vulnerabilities

Open mtreacy002 opened this issue 3 years ago • 14 comments

Is your feature request related to a problem? Please describe.

The current react-scripts dependency (v3.4.3) is causing 2 high severity warnings

Describe the solution you'd like

Update react-scripts dependency from 3.4.3 to 4.0.3. Note: this install involves potential breaking changes. While on it, fix other vulnerability warnings as well.

Describe alternatives you've considered

Ignore warnings if they don't causing major issue

Additional context

These warnings were caught on the initial dependencies installation of a newly cloned project. Here's the gist of npm audit reports.

mtreacy002 avatar Mar 09 '21 11:03 mtreacy002

@mtreacy002 I have added the Open source hack label for the OSH aspirants

Amulya-coder avatar Mar 18 '21 06:03 Amulya-coder

I would like to work on this issue.

Anmollenka avatar May 22 '21 07:05 Anmollenka

Assigning @Anmollenka.

Amulya-coder avatar May 22 '21 07:05 Amulya-coder

@mtreacy002 just wanted to confirm if medium severity vulnerabilities should be removed too?

Anmollenka avatar Jun 05 '21 08:06 Anmollenka

@mtreacy002 just wanted to confirm if medium severity vulnerabilities should be removed too?

@Amulya-coder Can you just confirm so that I can create a pull request.

Anmollenka avatar Jun 07 '21 09:06 Anmollenka

@Anmollenka, Yes you can go ahead and create a pull request no need to worry about medium severity vulnerabilities.

Amulya-coder avatar Jun 07 '21 13:06 Amulya-coder

@Anmollenka any updates here?

vj-codes avatar Jun 17 '21 13:06 vj-codes

Will create a pr within an hour

Anmollenka avatar Jun 17 '21 13:06 Anmollenka

@vj-codes After manually changing the versions 2 high vulnerabilities are still there.

Anmollenka avatar Jun 20 '21 09:06 Anmollenka

@Anmollenka , can you please show us steps you've done along with the log on a gist of npm audit report? This will help us better understand the issue you are facing. Thanks 😉

mtreacy002 avatar Jun 25 '21 02:06 mtreacy002

sure @mtreacy002

Anmollenka avatar Jun 30 '21 06:06 Anmollenka

@mtreacy002 I updated the react version to 4.0.3 and ran npm audit.Here is the gist of the npm audit report.

Anmollenka avatar Jul 01 '21 09:07 Anmollenka

@Anmollenka , when you said you've manually changed the versions, which versions you're talking about? for example, I can't see how you've updated react version to 4.0.3 while the version stated inside package.json is 16.3.1. Screen Shot 2021-07-07 at 8 23 00 pm

can you please submit the PR with whatever you currently have so that we could see what you have done and how we can improve this? thanks

mtreacy002 avatar Jul 07 '21 10:07 mtreacy002

@Anmollenka , when you said you've manually changed the versions, which versions you're talking about? for example, I can't see how you've updated react version to 4.0.3 while the version stated inside package.json is 16.3.1. Screen Shot 2021-07-07 at 8 23 00 pm

can you please submit the PR with whatever you currently have so that we could see what you have done and how we can improve this? thanks

Yes @mtreacy002 as I have not submitted my pull request you will not be able to see my changes.Sorry for the inconvenience caused by not explaining my approach properly.

Anmollenka avatar Jul 07 '21 12:07 Anmollenka