create-react-app icon indicating copy to clipboard operation
create-react-app copied to clipboard
verified publisher icon facebook

react-scripts 5.0.1 having vulnerable transitive libraries

Open aish110 opened this issue 3 years ago • 3 comments

We are using react-scripts 5.0.1 library, and facing some security vulnerabilities in its dependent packages.

  1. nth-check v1.0.2 - vulnerable to Inefficient Regular Expression Complexity
  2. loader-utils v2.0.2 - A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js
  3. minimatch v3.0.4 - A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

These packages if upgraded to the below versions will fix the vulnerabilities: nth-check v2.0.1 minimatch v3.0.5

Please upgrade react-scripts with transitive dependencies security patches.

aish110 avatar Nov 15 '22 11:11 aish110

PR #12172 should resolve all of those, but no work has been done on this repo since September from the looks of it.

wozzo avatar Nov 16 '22 18:11 wozzo

See #11174, this is a non-issue

mark-wiemer avatar Feb 20 '23 07:02 mark-wiemer

No update on this yet? I am having the same issue.

Node version: v14.18.3 Npm version: 6.14.15

ethhandy avatar Sep 02 '24 12:09 ethhandy