create-react-app
create-react-app copied to clipboard
facebook
Critical vulnerability in react-scripts package due to the package version is not updated
Describe the bug
Yarn audit command shows critical vulnerability for immer package:
my-app % yarn audit --level critical
yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ Prototype Pollution in immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=9.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > react-dev-utils > immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1002492 │
└───────────────┴──────────────────────────────────────────────────────────────┘
115 vulnerabilities found - Packages audited: 1682
Severity: 85 Moderate | 29 High | 1 Critical
package.json file for react-dev-utils package uses the correct version of immer. However, since the version of react-script package was not changed (still 4.0.3 for last 8 months) the update is not published to package repositories (npm, yarn).
Did you try recovering your dependencies?
Yes, I did
Which terms did you search for in User Guide?
Fix vulnerabilities
Environment
Environment Info:
current version of create-react-app: 4.0.3
running from /Users/veselov/.npm/_npx/c67e74de0542c87c/node_modules/create-react-app
System:
OS: macOS 10.15.7
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Binaries:
Node: 14.15.4 - /usr/local/bin/node
Yarn: 1.22.10 - ~/homebrew/bin/yarn
npm: 7.22.0 - ~/homebrew/bin/npm
Browsers:
Chrome: 94.0.4606.71
Edge: Not Found
Firefox: 91.1.0
Safari: 15.0
npmPackages:
react: ^17.0.2 => 17.0.2
react-dom: ^17.0.2 => 17.0.2
react-scripts: ^4.0.3 => 4.0.3
npmGlobalPackages:
create-react-app: Not Found
Steps to reproduce
(Write your steps here:)
- Generate my-app
npx create-react-app my-app
cd my-app
- Run audit
yarn audit --level critical
Expected behavior
Expect not to have any critical vulnerabilities
Actual behavior
See above
Reproducible demo
Use the current version of create-react-app
Possible security incident Possible compliance risk
This is a development only problem, see https://github.com/facebook/create-react-app/issues/11174 for more info.
There are other high vulnerability issues flagged in 4.0.3. => run npm audit
Understood that this may only manifest itself in development but would be nice to see attention as many times development code is posted for testing.
This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Is it possible to move it to development dependencies or to upgrade to a non-vulnerable version?
I get high severity reports when running with yarn and npm:
$ yarn audit --level critical
yarn audit v1.22.15
info No lockfile found.
warning @testing-library/jest-dom > css > [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
warning react-scripts > @svgr/webpack > @svgr/plugin-svgo > [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.
warning react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
warning react-scripts > css-minimizer-webpack-plugin > cssnano > cssnano-preset-default > postcss-svgo > svgo > [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
1 vulnerabilities found - Packages audited: 1230
Severity: 1 High
Done in 25.01s.
$ npm audit
# npm audit report
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Environment:
$ npx create-react-app --info
Environment Info:
current version of create-react-app: 5.0.1
running from /.npm/_npx/c67e74de0542c87c/node_modules/create-react-app
System:
OS: Linux 5.15 Ubuntu 20.04.4 LTS (Focal Fossa)
CPU: (8) x64 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
Binaries:
Node: 16.15.1 - ~/.nvm/versions/node/v16.15.1/bin/node
Yarn: 1.22.15 - ~/.nvm/versions/node/v16.15.1/bin/yarn
npm: 8.11.0 - ~/.nvm/versions/node/v16.15.1/bin/npm
Browsers:
Chrome: 103.0.5060.114
Firefox: 102.0
npmPackages:
react: ^18.2.0 => 18.2.0
react-dom: ^18.2.0 => 18.2.0
react-scripts: 5.0.1 => 5.0.1
npmGlobalPackages:
create-react-app: Not Found
Is it possible to move it to development dependencies or to upgrade to a non-vulnerable version?
Yes, you should move react-scripts to dev dependencies per #11174
