create-react-app icon indicating copy to clipboard operation
create-react-app copied to clipboard
verified publisher icon facebook

react-scripts is using postcss@^7.0.35 which has security vulnerability

Open biaoqiu opened this issue 2 years ago • 4 comments

[email protected] requires postcss@^7.0.35 via a transitive dependency on [email protected]

I see the latest version of resolve-url-loader is 5.x, and it depends on [email protected]. So can we update resolve-url-loader to a non-vulnerable version? Thank you!

biaoqiu avatar Oct 30 '23 02:10 biaoqiu

A link to the CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-44270

JcPires avatar Nov 02 '23 16:11 JcPires

I had to use overrides in my package.json to overcome there errors:

  "overrides": {
    "nth-check": "https://registry.npmjs.org/nth-check/-/nth-check-2.1.1.tgz",
    "postcss": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz"
  }

However the dependency should be updated in the main branch

Dror-Bar avatar Nov 26 '23 09:11 Dror-Bar

@Dror-Bar thank you, you are going to be in my video on using Trivy to fix vulnerabilities with this suggestion -- Thank you!!!

AnaisUrlichs avatar Feb 07 '24 14:02 AnaisUrlichs