-
-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix react-scripts vulnerabilities #11012
Comments
Same as @faroscore. Most of my warnings coming from react-scripts package dependencies. Any update soon? |
The problem is this bonjour that hasn't been updated last 5 years :O . watson/bonjour#63 the issue on bonjor has been opened today. react-dev-utils package should update "browserslist" dependency though. |
Same as the above comments. Looking forward for some updates |
Same situation... |
Same as #11007 |
facing same issue with postcss vulnerabilities as well |
Having the same problems with dns-packet and postcss |
My understanding is that |
Same problems here. Browserslist, postcss, and dns-packet. Uninstalling react-scripts gets rid of the vulnerabilities (of course not a solution). |
Same problem here #11012, waiting for some update |
dns-packet should be fixed within that library now. Run "audit fix" to fix it. |
I can confirm that |
I'm waiting the new version of react-script to fix vulnerabilities. I have 80 moderate vulnerabilities linked to postcss dependencies, if you look the git project the package.json are modified with last vesion of postcss, but not in npm for the moment. To fix high vulnerabilities dns-packet i edited my package.json project with this : |
same here... |
same here |
I am also waiting for this fix |
This requires more attention. I currently have 87 vulnerable packages in react-scripts. |
I totally agree |
102 vulnerabilities (86 moderate, 16 high) |
Yea this needs to be fixed. |
|
I get the same issue too.
|
118 Moderate | 5 High |
These vulnerabilities have been around for a long time. Is there any plan to fix them?? |
Ongoing -- I hope there is a fix :) |
A fix for this would be great 🙏 |
There are no actual vulnerabilities here. Unfortunately, This is pure security theater. Which is unfortunate, because it teaches people to ignore real vulnerabilities (which these are not, in the context of how they're used in CRA). Yes, it would be good to cut a patch to remove the warnings, but we are all unfortunately wasting time here. |
These warnings are false positives. There are no actual vulnerabilities affecting your app here. To remove I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings. If you want to discuss this, please comment in #11102. |
There are a new high vulnerability with Memory Exposure that appears in nested dependency
dns-packet
(https://npmjs.com/advisories/1745) and moderate vulnerability with Regular Expression Denial of Service that appears in nested dependencybrowserslist
(https://npmjs.com/advisories/1747)The text was updated successfully, but these errors were encountered: