create-react-app react-scripts 5.0.1 library having vulnerable transitive libraries

We are using react-scripts 5.0.1 library, under this library having vulnerable transitive libraries

terser/5.13.1
css-whatv3.4.2
nth-check/1.0.2
terser/5.13.1 is before 4.8.1, from 5.0.0, and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions and CVE: CVE-2022-25858(BDSA-2022-2526)
css-whatv3.4.2 is incorrectly implements Linear Time Complexity. An attacker can take advantage of this in order to overload system resources and cause a denial-of-service (DoS) and CVE : BDSA-2021-1962
nth-check/1.0.2 is vulnerable to Inefficient Regular Expression Complexity and CVE: CVE-2021-3803(BDSA-2021-2906)

We would expect to upgrade the react-scripts 5.0.1 to the latest version with

terser/5.13.1 to latest version terser/5.15.1
css-whatv3.4.2 to latest version css-what v6.1.0
nth-check/1.0.2 to latest version nth-check/2.1.1

using vulnerable react-scripts 5.0.1 makes our product makes vulnerable please make upgrade the react-scripts 5.0.1 to the latest version with transitive dependencies security patches

Oct 19 '22 12:10 NarahariTagili-Eaton

While you are at it here are some more dependencies that are vulnerable and should get updated. CVE-2022-3517 react-scripts-5.0.1.tgz (Root Library) react-dev-utils-12.0.1.tgz recursive-readdir-2.2.2.tgz ❌ minimatch-3.0.4.tgz (Vulnerable Library) CVE-2022-37599 react-scripts-5.0.1.tgz (Root Library) file-loader-6.2.0.tgz ❌ loader-utils-2.0.2.tgz (Vulnerable Library)

Oct 21 '22 21:10 skialpine

Is there a timeframe for when the PR will be pushed to update the dependent vulnerable libraries?

Oct 24 '22 21:10 enema17484

All the vulnerable issues come from the dependencies packages which are outdated, is there any update on the vulnerable fix?

Oct 25 '22 12:10 sanasreenivasulu

I assume CRA is dead now, as nobody responded to CVE-related topics for more than a week.

Nov 01 '22 11:11 rdzidziguri

any update on this ? help needed to fix the vunerabilities !!

Nov 02 '22 03:11 hakhan88

FWIW, The workaround I ended up for file-loader to unblock us was to use react-app-rewired and add the following in our config-overrides.js

try {
	const oneOfRule = config.module.rules.find((rule) =>
		Array.isArray(rule.oneOf),
	);
	const svgRule = oneOfRule.oneOf.find(
		(r) => r.test.toString() === '/\\.svg$/',
	);
	svgRule.type = 'asset';
	delete svgRule.use;
} catch (err) {
	console.error(
		'Error while applying config-overrides. CRA has updated the default webpack config.',
		err,
	);
	throw err;
}

Nov 02 '22 07:11 thgreasi

See this pinned issued here, I don't think these represent actual vulnerabilities.

Nov 08 '22 08:11 iendjinn

Yes, #11174 addresses this exactly and provides resolution steps.

Feb 20 '23 07:02 mark-wiemer

I am also getting the vulnerabilities due to the react-scripts package. Here are the list:

webpack-5.5.0 nth-check-1.0.2 loader-utils-3.2.1 semver-7.5.0 css-what-3.4.2 postcss-8.4.26 mime-1.3.2

Please do consider upgrading these vulnerable packages that are in the dependencies of the react-scripts package.

Jan 23 '24 19:01 SangaleSadashiv

Still getting vulnerabilities with latest react-scripts nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr

postcss <8.4.31 Severity: moderate PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j

The only fix available from npm audit command is to downgrade react-scripts to version 3.0.1, which is not acceptable

Aug 01 '24 07:08 adrian-crisan625

I think at this point with no release in over 2 years, we can assume this project is probably abandoned. I migrated one project to Vite another to NextJS. Vite migration for a larger project wasn't too hard (a couple hours total).

I'm thankful for this project and its maintainers but I think it's time to move on until they come back and maintain this.

Aug 01 '24 07:08 myyk