Npm install high severity issues react native 0.66

[glairnarra31]

Description

After I try to install a npm library I saw a heavy list of vulnerabilities which was mostly pointing to set-value issue https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541. I tried setting up a fresh rn project (0.66) and this is also occuring

React Native version:

0.66 and 0.64 (current project I'm working)

Steps To Reproduce

1. initialize project using npx react-native init AwesomeProject command
2. run npm install after setup and then the vulnerabilities will appear

Expected Results

Minimal to none vulnerabilities I'm just curious if it is ok to ignore the vulnerabilies?

[chazmcgrill]

Some new critical ones today coming from lodash:

[btheteach]

Also seeing another moderate level vulnerability after a fresh install with the package chalk/ansi-regex

[annieneedscoffee]

Here is a summary of what I'm getting as of October 11 before I install any dependencies:

• I ran npx react-native init demoApp

• After it finished I ran npm install, but did not install any dependencies yet. This is just to be able to do npm audit before installing any dependencies.

• I get this response:

• Here is what I get when I run npm audit:

• If I run npm audit fix it doesn't reduce the number of vulnerabilities.
• If I run npm audit fix --force it reduces to 24 high severity vulnerabilities.
• No matter how many times I run npm audit fix --force I can seem to get below 24 severe vulnerabilities and 8 moderate. Also, this creates breaking changes.
• Running react-native init projectName results in having "react": "17.0.2", and "react-native": "0.66.0" listed in package.json.
• Running npm audit fix --force several times to get to the lowest possible number of vulnerabilities seems to result in "react": "17.0.2", and "react-native": "^0.61.4", in package.json.

[annieneedscoffee]

Ok, it looks like a lot of what I posted earlier is an issue with npm, not an issue with react-native. If I just create an empty folder on my computer and run npm install in that folder I get:

So I guess 10 of the issues marked as severe vulnerabilities in my previous post are specific to react-native.

If you go to https://nodejs.org/en/ it says "New security releases to be made available October 12th, 2021" so it seems like a lot of this could be resolved by updating node tomorrow.

[annieneedscoffee]

Now that those node security releases are available I updated node and I'm still getting the exact same number of vulnerability warnings, so I guess the security issues fixed in the new releases for node weren't any of the ones flagged by npm audit. These links seem relevant to what's going on:

https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/

https://overreacted.io/npm-audit-broken-by-design/

[scousino]

yeah npm audit has nothing to do with Node security unless you're specifically working on a Node project. It has to do with the package's specified in the output. A lot of the current problems relate to versions of set-value and ansi-regex needing to be bumped.

[jcoyne]

I believe this is now resolved with the release of cache-base 4.0.2 (https://github.com/jonschlinkert/cache-base/commit/afb51c80fb54682bae3a4b0ad458dbbcdbfd69f9)

[Udith-Murali]

Can we get a fix on these HIGH SEVERITY vulnerabilities

Vulnerable module: shell-quote

Introduced through: @react-native-community/[email protected], @react-native-community/[email protected] and others Detailed paths Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected]

Regular Expression Denial of Service (ReDoS)

Vulnerable module: ansi-regex Introduced through: @react-native-community/[email protected], @react-native-community/[email protected] and others Detailed paths Introduced through: [email protected] › @react-native-community/[email protected] › [email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] › [email protected] › [email protected] › [email protected]

[cannahum]

Can we get a fix on these HIGH SEVERITY vulnerabilities

Vulnerable module: shell-quote

Introduced through: @react-native-community/[email protected], @react-native-community/[email protected] and others Detailed paths Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected]

Regular Expression Denial of Service (ReDoS)

Vulnerable module: ansi-regex Introduced through: @react-native-community/[email protected], @react-native-community/[email protected] and others Detailed paths Introduced through: [email protected] › @react-native-community/[email protected] › [email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › [email protected] › [email protected] › [email protected] › [email protected]

Is there a fix that was merged / is being worked on regarding this vulnerability?

[cortinico]

Closing as this version of React Native is several years old. Please re-open a new issue against the latest stable if the issue persists