Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix react-scripts vulnerabilities #11012

Closed
faroscore opened this issue May 25, 2021 · 30 comments
Closed

Fix react-scripts vulnerabilities #11012

faroscore opened this issue May 25, 2021 · 30 comments

Comments

@faroscore
Copy link

There are a new high vulnerability with Memory Exposure that appears in nested dependency dns-packet (https://npmjs.com/advisories/1745) and moderate vulnerability with Regular Expression Denial of Service that appears in nested dependency browserslist (https://npmjs.com/advisories/1747)
image

@Bismarck-GM
Copy link

Same as @faroscore. Most of my warnings coming from react-scripts package dependencies. Any update soon?

image

@croraf
Copy link

croraf commented May 25, 2021

The problem is this bonjour that hasn't been updated last 5 years :O . watson/bonjour#63 the issue on bonjor has been opened today.

react-dev-utils package should update "browserslist" dependency though.

@mvmories
Copy link

Same as the above comments. Looking forward for some updates

@IevgeniiK-AVISPL
Copy link

Same situation...

@stahlmanDesign
Copy link

Same as #11007

@ritikasib
Copy link

facing same issue with postcss vulnerabilities as well

@Anacrius
Copy link

Having the same problems with dns-packet and postcss

@jp94
Copy link

jp94 commented May 26, 2021

My understanding is that [email protected] has the patch, and we are waiting on the advisory to update? I did a fresh npm install today, and package-lock shows [email protected].

mafintosh/multicast-dns#75

@cogrod17
Copy link

Same problems here. Browserslist, postcss, and dns-packet. Uninstalling react-scripts gets rid of the vulnerabilities (of course not a solution).

@juanpedropuig
Copy link

Same problem here #11012, waiting for some update

@croraf
Copy link

croraf commented May 27, 2021

dns-packet should be fixed within that library now. Run "audit fix" to fix it.

@gregmarr
Copy link

See also #10928 and and the PRs #10135 and #10697

@Primajin
Copy link
Contributor

I can confirm that npm audit fix fixes the high severity issue with dns-packet.
However there are still 80 moderate vulnerabilities though.

@dbouchierarcad
Copy link

I'm waiting the new version of react-script to fix vulnerabilities. I have 80 moderate vulnerabilities linked to postcss dependencies, if you look the git project the package.json are modified with last vesion of postcss, but not in npm for the moment. To fix high vulnerabilities dns-packet i edited my package.json project with this :
"resolutions": {
"underscore": "^1.13.1",
"dns-packet": "^5.2.2"
}

@arwanfiles
Copy link

same here...

@jemu51
Copy link

jemu51 commented Jun 2, 2021

same here
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=8.2.10 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > postcss-preset-env > postcss-selector-not > │
│ │ postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1693
└───────────────┴──────────────────────────────────────────────────────────────┘

@bsubba
Copy link

bsubba commented Jun 8, 2021

I am also waiting for this fix

@Raynesz
Copy link

Raynesz commented Jun 8, 2021

This requires more attention. I currently have 87 vulnerable packages in react-scripts.

@pierre-H
Copy link

pierre-H commented Jun 8, 2021

This requires more attention. I currently have 87 vulnerable packages in react-scripts.

I totally agree

@klipitkas
Copy link

102 vulnerabilities (86 moderate, 16 high)

@wshihdehx
Copy link

Yea this needs to be fixed.

@croraf
Copy link

croraf commented Jun 21, 2021

npm audit fix leaves only 5 moderate and 5 high at the moment.

@felkeM
Copy link

felkeM commented Jun 27, 2021

I get the same issue too.

npm audit report

browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts

css-what <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/css-what
css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 2.3.0
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo *
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack >=4.0.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo

glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/webpack-dev-server
@pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4
Depends on vulnerable versions of webpack-dev-server
node_modules/@pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts

normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/normalize-url
node_modules/postcss-normalize-url/node_modules/normalize-url
mini-css-extract-plugin 0.6.0 - 1.0.0
Depends on vulnerable versions of normalize-url
node_modules/mini-css-extract-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss-normalize-url <=4.0.1
Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-normalize-url
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin

22 vulnerabilities (9 moderate, 13 high)

@jindong-zhang-git
Copy link

118 Moderate | 5 High

@rhalaly
Copy link

rhalaly commented Jun 28, 2021

These vulnerabilities have been around for a long time. Is there any plan to fix them??

@pierre-H
Copy link

This problem is very serious and makes me consider using Svelte.

Please @gaearon @Timer : could you please give us some news ...

@ghost
Copy link

ghost commented Jun 29, 2021

Ongoing -- I hope there is a fix :)
#11092 (comment)

@AndreGCRamos
Copy link

A fix for this would be great 🙏

@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

There are no actual vulnerabilities here.

Unfortunately, npm audit has no idea that these packages are development-only dependencies. From what I can tell, none of these "vulnerabilities" actually affect your application (or even development machine) in any way.

This is pure security theater. Which is unfortunate, because it teaches people to ignore real vulnerabilities (which these are not, in the context of how they're used in CRA).

Yes, it would be good to cut a patch to remove the warnings, but we are all unfortunately wasting time here.

@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To remove npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

@gaearon gaearon closed this as completed Jul 2, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 2, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests