argon-design-system-react [Bug] High Severity Vulnerabilities in Older react-scripts and node-sass and Nested Dependencies

[Bug] High Severity Vulnerabilities in Older react-scripts and node-sass and Nested Dependencies

Open mekkim opened this issue 2 years ago • 1 comments

Version

Latest

Reproduction link

https://github.com/creativetimofficial/argon-design-system-react

Operating System

All

Device

All

Browser & Version

All

Steps to reproduce

Run npm audit against latest branch.

What is expected?

No vulnerabilities in dependencies

What is actually happening?

38 vulnerabilities (20 moderate, 18 high) in dependencies. npm audit fix advises that upgrades required to address vulnerabilities are breaking.

Solution

Dependencies and any resulting breaking feature changes should be resolved react-scripts to version 5.0.0+ node-sass to version 7.0.1+

Additional comments

npm audit log: https://pastes.io/tr6m6umkip

Mar 21 '22 14:03 mekkim

Can be fixed by changing package.json to use latest versions of node-sass and react-scripts (though unsure if that breaks anything as latest is a breaking change relative to currently listed versions--testing required!)

"node-sass": "latest",
"react-scripts": "latest",

plus adding the following at the end for the nested dependencies of glob-parent and nth-check. Same caveat re: breaking potential:

"overrides": {
	   "glob-parent": "latest",
	   "nth-check": "latest"
   }

Mar 21 '22 14:03 mekkim

argon-design-system-react argon-design-system-react copied to clipboard

[Bug] High Severity Vulnerabilities in Older react-scripts and node-sass and Nested Dependencies

Version

Reproduction link

Operating System

Device

Browser & Version

Steps to reproduce

What is expected?

What is actually happening?

Solution

Additional comments

argon-design-system-react
argon-design-system-react copied to clipboard