create-react-app
create-react-app copied to clipboard
Bumps @svgr/webpack dependency to version 6.2.1
Regarding the issue https://github.com/facebook/create-react-app/issues/12146 the @svgr/webpack
dependency has to be updated to fix the security warning related to the transitive nth-check
dependency.
@iansu / @mrmckeb
Any feedback on this? Would be cool to have this merged so repositories which are using CRA (react-scripts in particular) would not be bothered by dependabot complaining about the CVE (GHSA) in nth-check
.
All checks are fine. Could you please merge this?
Up
This should be merged.
Please do hit the merge-button 🙂
@iansu @mrmckeb Bumping this for visibility
These issues may all need this PR:
- https://github.com/facebook/create-react-app/issues/12146
- https://github.com/facebook/create-react-app/issues/12132
- https://github.com/facebook/create-react-app/issues/11770
- https://github.com/facebook/create-react-app/issues/11753
Similar PR, no progress:
- https://github.com/facebook/create-react-app/pull/12026
- https://github.com/facebook/create-react-app/pull/11780
SVGR issue, about SVG with CDATA:
- https://github.com/gregberge/svgr/issues/558
- An error like this occurs:
Error: Expected node, got ***
- An error like this occurs:
Tbh I am also quite surprised that there is not even a response by the maintainers to this pull request.
"Please sir, may I have some merges?"
Would it help to @ the two reviewers?
@Master-Guy You are right, we can try @mrmckeb @iansu 👋
Tbh I am also quite surprised that there is not even a response by the maintainers to this pull request.
Only 6 months? Those are rookie numbers.
@gaearon Can we close this pull request? Or is it maybe a good idea to bump the dependency to a newer version even if the vulnerability is not affecting react-scripts? I don't know the details of the newest version here, but maybe there are internal improvements as well.
@iansu @mrmckeb please merge 🙏
@iansu @mrmckeb please merge 🙏
Tbh I am also quite surprised that there is not even a response by the maintainers to this pull request.
Only 6 months? Those are rookie numbers.
Hi, Is there a timeline to expect this merge so we can plan accordingly?
Quite vital this is merged soon as it a security issue
This may not be a security issue in itself, but it is blocking us from fixing other security issues because this is a blocking dependency :( .
Not impacting production but pretty straightforward, should be merged
You can always override the dependency like this in your project's package.json
.
"overrides": {
"react-scripts": {
"@svgr/webpack": "6.5.1"
}
}
Having said that, I think this should be reviewed by the maintainers. Don't know why it hasn't been yet.
Hi @daschaa, I'm glad you took the time to raise this PR. I'm not sure which should be the test plan to make sure everything is working properly after the change. I guess at least checking that SVGs are loaded correctly and also all the tests are passing (which I guess must be part of the CI checks, right?).
Would be great if it can be reviewed by one of the owners and see if there's something else needed.
Hi people, any updates on merge this PR? My Sec team is hopefully waiting for us to fix the Snyk vulnerability on this svg lib version <3
@andresmanikis Thanks for your feedback. I will add all the necessary stuff as soon as a maintainer who is willing to review this PR gives feedback. I don't know why no one from Meta looks at this. At least any kind of feedback would be nice.
Yes. Don't know either.
@iansu @mrmckeb could you pls have a look? or at least give us a reason why this is stuck for so long?
There are a few sources suggesting this tool is deprecated (e.g. https://github.com/facebook/create-react-app/issues/13072), which seems to line up with the lack of maintenance. It seems like that might be the reason this hasn't been addressed in way too long.
Edit: better source https://github.com/reactjs/react.dev/pull/5487