create-react-app icon indicating copy to clipboard operation
create-react-app copied to clipboard

Published 20 hours ago verified publisher icon facebook

Bumps @svgr/webpack dependency to version 6.2.1

Open daschaa opened this issue 2 years ago • 15 comments

Regarding the issue https://github.com/facebook/create-react-app/issues/12146 the @svgr/webpack dependency has to be updated to fix the security warning related to the transitive nth-check dependency.

daschaa avatar Mar 15 '22 13:03 daschaa

@iansu / @mrmckeb Any feedback on this? Would be cool to have this merged so repositories which are using CRA (react-scripts in particular) would not be bothered by dependabot complaining about the CVE (GHSA) in nth-check.

daschaa avatar Apr 05 '22 06:04 daschaa

All checks are fine. Could you please merge this?

bbodensieck avatar Apr 20 '22 12:04 bbodensieck

Up

jy95 avatar May 31 '22 23:05 jy95

This should be merged.

ranman avatar Jul 20 '22 02:07 ranman

Please do hit the merge-button 🙂

bakgaard avatar Aug 02 '22 07:08 bakgaard

@iansu @mrmckeb Bumping this for visibility

BrandonKoala avatar Aug 18 '22 23:08 BrandonKoala

These issues may all need this PR:

  • https://github.com/facebook/create-react-app/issues/12146
  • https://github.com/facebook/create-react-app/issues/12132
  • https://github.com/facebook/create-react-app/issues/11770
  • https://github.com/facebook/create-react-app/issues/11753

Similar PR, no progress:

  • https://github.com/facebook/create-react-app/pull/12026
  • https://github.com/facebook/create-react-app/pull/11780

SVGR issue, about SVG with CDATA:

  • https://github.com/gregberge/svgr/issues/558
    • An error like this occurs: Error: Expected node, got ***

Lsnsh avatar Aug 22 '22 09:08 Lsnsh

Tbh I am also quite surprised that there is not even a response by the maintainers to this pull request.

daschaa avatar Aug 23 '22 06:08 daschaa

"Please sir, may I have some merges?"

1_WoJk_ozkGZ9fYzvW0MriKw

seavor avatar Aug 31 '22 13:08 seavor

image

jy95 avatar Aug 31 '22 14:08 jy95

Would it help to @ the two reviewers?

Master-Guy avatar Sep 12 '22 18:09 Master-Guy

@Master-Guy You are right, we can try @mrmckeb @iansu 👋

rap2hpoutre avatar Sep 19 '22 07:09 rap2hpoutre

Tbh I am also quite surprised that there is not even a response by the maintainers to this pull request.

Only 6 months? Those are rookie numbers.

szakharchenko avatar Sep 20 '22 08:09 szakharchenko

@gaearon Can we close this pull request? Or is it maybe a good idea to bump the dependency to a newer version even if the vulnerability is not affecting react-scripts? I don't know the details of the newest version here, but maybe there are internal improvements as well.

daschaa avatar Sep 21 '22 17:09 daschaa

@iansu @mrmckeb please merge 🙏

sebastienpa avatar Oct 14 '22 18:10 sebastienpa

@iansu @mrmckeb please merge 🙏

mpavlikWandera avatar Nov 07 '22 12:11 mpavlikWandera

Tbh I am also quite surprised that there is not even a response by the maintainers to this pull request.

Only 6 months? Those are rookie numbers.

What do I win? 🤣

wozzo avatar Nov 09 '22 09:11 wozzo

Hi, Is there a timeline to expect this merge so we can plan accordingly?

vijaya-lakshmi-venkatraman avatar Nov 17 '22 04:11 vijaya-lakshmi-venkatraman

Quite vital this is merged soon as it a security issue

Phonesis avatar Nov 22 '22 10:11 Phonesis

This may not be a security issue in itself, but it is blocking us from fixing other security issues because this is a blocking dependency :( .

mpavlikWandera avatar Nov 30 '22 11:11 mpavlikWandera

Not impacting production but pretty straightforward, should be merged

alexishecf avatar Nov 30 '22 22:11 alexishecf

You can always override the dependency like this in your project's package.json.

"overrides": {
    "react-scripts": {
      "@svgr/webpack": "6.5.1"
    }
  }

Having said that, I think this should be reviewed by the maintainers. Don't know why it hasn't been yet.

andresmanikis avatar Dec 02 '22 13:12 andresmanikis

Hi @daschaa, I'm glad you took the time to raise this PR. I'm not sure which should be the test plan to make sure everything is working properly after the change. I guess at least checking that SVGs are loaded correctly and also all the tests are passing (which I guess must be part of the CI checks, right?).

Would be great if it can be reviewed by one of the owners and see if there's something else needed.

andresmanikis avatar Dec 02 '22 16:12 andresmanikis

Hi people, any updates on merge this PR? My Sec team is hopefully waiting for us to fix the Snyk vulnerability on this svg lib version <3

danvitoriano avatar Dec 08 '22 19:12 danvitoriano

@andresmanikis Thanks for your feedback. I will add all the necessary stuff as soon as a maintainer who is willing to review this PR gives feedback. I don't know why no one from Meta looks at this. At least any kind of feedback would be nice.

daschaa avatar Dec 08 '22 21:12 daschaa

Yes. Don't know either.

andresmanikis avatar Dec 08 '22 21:12 andresmanikis

@iansu @mrmckeb could you pls have a look? or at least give us a reason why this is stuck for so long?

mpavlikWandera avatar Jan 27 '23 10:01 mpavlikWandera

There are a few sources suggesting this tool is deprecated (e.g. https://github.com/facebook/create-react-app/issues/13072), which seems to line up with the lack of maintenance. It seems like that might be the reason this hasn't been addressed in way too long.

Edit: better source https://github.com/reactjs/react.dev/pull/5487

tgross35 avatar May 30 '23 20:05 tgross35