facebook
Vulnerability Issues with nth-check in react-scripts Dependencies
Environment:
- Operating System: Windows 11
- IDE: Visual Studio Code
- Node.js version: v18.17.1
- npm version: 10.1.0
Description:
I am encountering a persistent vulnerability issue with react-scripts related to the nth-check package. Despite making multiple attempts to update the dependencies manually and exploring various resolutions, the vulnerability warning remains.
NPM Audit Output: nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/react-scripts/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/react-scripts/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/react-scripts/node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/react-scripts/node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/react-scripts/node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack node_modules/react-scripts
Steps to Reproduce:
- Updated to the latest version of
react-scripts. - Ran
npm audit, revealing the vulnerability issue related tonth-check. - Attempted to manually update dependencies and force resolutions.
- Checked again with
npm audit, but the vulnerability warning persisted.
Expected Behavior:
The dependencies, especially nth-check, should be up-to-date, ensuring no vulnerabilities when executing npm audit.
Additional Context:
I made attempts to resolve this by updating individual packages and also using the npm-force-resolutions package. Unfortunately, the vulnerability continues to persist.
Seeking guidance or a potential fix for this vulnerability. Thank you for your assistance!
See this comment, it's important. https://github.com/facebook/create-react-app/issues/13062#issuecomment-1474189236
If you consider migrating, check this article: https://cathalmacdonnacha.com/migrating-from-create-react-app-cra-to-vite
If you really need to fix this warning, you can declare in your dependencies
"dependencies": {
"nth-check": "^2.1.1"
}
and at the end of your package.json
"overrides": {
"nth-check": "$nth-check"
}
It doesn't work for me :( Seems like it's time to migrate to Vite
i added this:
"dependencies": {
"react-scripts": "^5.0.1",
"web-vitals": "^2.1.4",
"nth-check": "^2.1.1"
},
"overrides": {
"nth-check": "^2.1.1",
"postcss":"^8.4.38"
}
and after that i have entered npm update, hope it helped you :)
It doesn't work for me :( Seems like it's time to migrate to Vite
i added this:
"dependencies": { "react-scripts": "^5.0.1", "web-vitals": "^2.1.4", "nth-check": "^2.1.1" }, "overrides": { "nth-check": "^2.1.1", "postcss":"^8.4.38" }and after that i have entered
npm update, hope it helped you :)
Thanks for this info, helps me to remove Snyk scanning issue on the nth-check
Maybe, the problem may be due to the lack of permission to using new version, so re-installation libs and requires overwrite of the existing version (registed in dependencies list)
#npm i postcss #npm i nth-check
and, add the code to end of package.json file: "overrides": { "nth-check": "$nth-check", "postcss": "$postcss" }
Thats help for me, after update node to v22.3.0 and, react-scripts: 5.0.1
The moment i decided to uninstall react-scripts is when i finally resolved the vulnerability issues I've been getting from git (npm audit fix didnt do the job btw)
[user☮kenshantas-macbook-pro.home]-(~/Projects/sleek-company-portfolio)-[git://main ✔]-
└> npm install vite @vitejs/plugin-react --save-dev
added 9 packages, and audited 1688 packages in 8s
264 packages are looking for funding
run `npm fund` for details
8 vulnerabilities (2 moderate, 6 high)
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
┌[user☮kenshantas-macbook-pro.home]-(~/Projects/sleek-company-portfolio)-[git://main ✗]-
└> npm uninstall react-scripts
removed 1292 packages, and audited 396 packages in 3s
58 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
We should close this issue as there hasnt been any updates over the past 2 years. The project is abandoned :/
It doesn't work for me :( Seems like it's time to migrate to Vite
i added this:
"dependencies": { "react-scripts": "^5.0.1", "web-vitals": "^2.1.4", "nth-check": "^2.1.1" }, "overrides": { "nth-check": "^2.1.1", "postcss":"^8.4.38" }and after that i have entered
npm update, hope it helped you :)Thanks for this info, helps me to remove Snyk scanning issue on the nth-check
Thanks a ton for fixing that!
Maybe, the problem may be due to the lack of permission to using new version, so re-installation libs and requires overwrite of the existing version (registed in dependencies list)
#npm i postcss #npm i nth-check
and, add the code to end of package.json file: "overrides": { "nth-check": "$nth-check", "postcss": "$postcss" }
Thats help for me, after update node to v22.3.0 and, react-scripts: 5.0.1
It helps me a lot! thank you so mucho for that
Maybe, the problem may be due to the lack of permission to using new version, so re-installation libs and requires overwrite of the existing version (registed in dependencies list) #npm i postcss #npm i nth-check and, add the code to end of package.json file: "overrides": { "nth-check": "$nth-check", "postcss": "$postcss" } Thats help for me, after update node to v22.3.0 and, react-scripts: 5.0.1
It helps me a lot! thank you so mucho for that
This helped me as well:
removed 3 packages, and audited 1507 packages in 2s
274 packages are looking for funding
run npm fund for details
found 0 vulnerabilities
