create-react-app icon indicating copy to clipboard operation
create-react-app copied to clipboard

Published 20 hours ago verified publisher icon facebook

update vulnerable dependencies

Open juliocarneiro opened this issue 3 years ago • 10 comments

Describe the bug

Snyk acuse vulnerable dependencies in react-scripts

Did you try recovering your dependencies?

yes

Which terms did you search for in User Guide?

(Write your answer here if relevant.)

Environment

System: OS: Windows 10 10.0.19044 CPU: (4) x64 Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz Binaries: Node: 16.13.2 - C:\Program Files\nodejs\node.EXE Yarn: 1.22.17 - C:\Program Files\nodejs\yarn.CMD npm: 8.5.0 - C:\Program Files\nodejs\npm.CMD Browsers: Chrome: Not Found Edge: Spartan (44.19041.1266.0), Chromium (98.0.1108.50) Internet Explorer: 11.0.19041.1202 npmPackages: react: ^17.0.2 => 17.0.2 react-dom: ^17.0.2 => 17.0.2 react-scripts: 5.0.0 => 5.0.0 npmGlobalPackages: create-react-app: Not Found

Steps to reproduce

(Write your steps here:)

  1. Open cra project in vscode
  2. Install Snyk plugin
  3. Access snyk tab and play plugin

Expected behavior

There should be no vulnerabilities

Actual behavior

Regular Expression Denial of Service (ReDoS) Vulnerability | CVE-2021-3803 | CWE-1333 | CVSS 7.5 | SNYK-JS-NTHCHECK-1586032 Vulnerable module nth-check Introduced through [email protected] Fixed in [email protected] Exploit maturity Not Defined Detailed paths Introduced through: [email protected] > [email protected] > @svgr/[email protected] > @svgr/[email protected] > [email protected] > [email protected] > [email protected] Remediation: Upgrade nth-check to version 2.0.1 or higher. (@svgr/[email protected] to @svgr/[email protected])

Regular Expression Denial of Service (ReDoS) Vulnerability | CVE-2021-33587 | CWE-400 | CVSS 5.3 | SNYK-JS-CSSWHAT-1298035 Vulnerable module css-what Introduced through [email protected] Fixed in [email protected] Exploit maturity Not Defined Detailed paths Introduced through: [email protected] > [email protected] > @svgr/[email protected] > @svgr/[email protected] > [email protected] > [email protected] > [email protected] Remediation: Upgrade css-what to version 5.0.1 or higher. (@svgr/[email protected] to @svgr/[email protected])

Reproducible demo

https://github.com/juliocarneiro/react-chrome-extension

  1. Open project in vscode
  2. Install Snyk plugin
  3. Access snyk tab and play plugin

juliocarneiro avatar Feb 13 '22 14:02 juliocarneiro

This can be fixed by updating the @svgr/webpack dependency in react-scripts to latest version (6.2.1) - https://github.com/facebook/create-react-app/blob/main/packages/react-scripts/package.json#L33

ghost avatar Feb 28 '22 05:02 ghost

Any ETA on this? Snyk promoted to a high severity vulnerability. Utilizing overrrides for now.

NapalmCodes avatar Jun 17 '22 19:06 NapalmCodes

Any update?

struginskij avatar Jul 05 '22 08:07 struginskij

Any update?

satori-code avatar Jul 11 '22 04:07 satori-code

Do you have any timetable where this might get fixed?

OmegaDL2 avatar Jul 21 '22 15:07 OmegaDL2

This is triggering a high-severity alert in dependabot as well: https://github.com/DataBiosphere/jade-data-repo-ui/security/dependabot/12

samanehsan avatar Aug 02 '22 15:08 samanehsan

This is showing as high vulnerability for us and dependency on react-scripts 5.0.0CVE-2021-3803 , any pointers/eta on this will be helpful

rishabhdugar avatar Aug 10 '22 09:08 rishabhdugar

Any update?

juliocarneiro avatar Aug 18 '22 22:08 juliocarneiro

If the repo owners won't fix, is there any known workaround?

MrAndrew avatar Aug 20 '22 15:08 MrAndrew

We will be switching to ViteJS because of this.

exil0867 avatar Sep 01 '22 11:09 exil0867

Hi, I'm still experiencing this issue, and nothing solves it, is there a solution for it?

shirelfanbaum avatar Nov 09 '22 13:11 shirelfanbaum

+1

mwolski89 avatar Dec 01 '22 10:12 mwolski89

Until this is patched, you can override the @svgr/webpack version by adding the following to your package.json.

  "overrides": {
    "react-scripts": {
      "@svgr/webpack": "6.5.1"
    }
  }

You will need to be using a fairly recent version of NPM for this to work (I forget the exact version overrides were introduced). Updating the version of @svgr/webpack is what the PR does, but if you want a more precise override, you can also go deeper and just pin nth-check. See https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides for more info.

GrimzEcho avatar Dec 13 '22 20:12 GrimzEcho

I use this web utility to update my package.json before we go into production, and am still finding that the vuln exists in the latest version, now ^5.0.1

This matters because we can't deploy vulnerabilities.

npm list

+-- [email protected]

npm audit

npm audit report

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install [email protected], which is a breaking change

Maybe this will get fixed after the tech recession, lol

This worked for me

Until this is patched, you can override the @svgr/webpack version by adding the following to your package.json.

  "overrides": {
    "react-scripts": {
      "@svgr/webpack": "6.5.1"
    }
  }

You will need to be using a fairly recent version of NPM for this to work (I forget the exact version overrides were introduced). Updating the version of @svgr/webpack is what the PR does, but if you want a more precise override, you can also go deeper and just pin nth-check. See https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides for more info.

nwoodr94 avatar Mar 08 '23 21:03 nwoodr94