custom-react-scripts icon indicating copy to clipboard operation
custom-react-scripts copied to clipboard

Published 20 hours ago verified publisher icon kitze

npm audit vulnerabilities

Open m1n0s opened this issue 6 years ago • 0 comments

Hey! Thanks for the amazing package!

I have a question about new npm vulnerabilities functionality. The problem that we have all 36 vulnerabilities fired from custom-react-scripts (before updating from 0.2.1 to 0.2.2 there were 100+ of them).

found 36 vulnerabilities (15 low, 15 moderate, 6 high) in 22104 scanned packages

Most of them are fired from hoek dependency and seems like they are already fixed many of them. Smth like that:

  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3                                   
                                                                                
  Dependency of   custom-react-scripts                                          
                                                                                
  Path            custom-react-scripts > less > request > hawk > sntp > hoek    
                                                                                
  More info       https://nodesecurity.io/advisories/566

Are you going to deal with it somehow in the nearest future?

Thanks!

node -v // 8.11.3 npm -v // 6.4.0

m1n0s avatar Aug 22 '18 09:08 m1n0s