Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Help, npm audit says I have a vulnerability in react-scripts! #11174

Open
gaearon opened this issue Jul 2, 2021 · 130 comments
Open

Help, npm audit says I have a vulnerability in react-scripts! #11174

gaearon opened this issue Jul 2, 2021 · 130 comments

Comments

@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

npm audit is broken for front-end tooling by design

Bad news, but it's true. See here for a longer explanation.

If you think you found a real vulnerability in react-scripts

If you know that it affects CRA users because you understand what the vulnerability is, report it here as soon as possible.

If you're not sure but your CI is failing or you're worried about what npm audit tells you, keep reading.

Do not file new issues based on npm audit if you don't 100% understand the problem.
They will be closed (see why below). If you really need to discuss it, reply in this thread instead.

npm audit says there's a warning about vulnerabilities in my project

Open package.json. You will find this:

  "dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
    "react-scripts": "4.0.3"
  }

Take react-scripts and move it to devDependencies (if you don't have it, create it):

  "dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2"
  },
  "devDependencies": {
    "react-scripts": "4.0.3"
  },

Then, ensure you run npm audit --production rather than npm audit.

This will fix your warnings.

But isn't this just ignoring the problem?

No.

Create React App is a build tool. In other words, it doesn't produce a running Node application. It runs at the build time during development, and produces static assets.

However, npm audit is designed for Node apps so it flags issues that can occur when you run actual Node code in production. That is categorically not how Create React App works.

This means that the overwhelming amount of "vulnerability" reports we receive for transitive dependencies are false positives. Despite literally a hundred issues with thousands of comments about npm audit warnings in react-scripts, throughout the years not a single one of them (to the best of our knowledge) has ever been a real vulnerability for CRA users.

This is a huge waste of everyone's time. Mostly of yours, but of ours too.

But I still see these warnings when creating a new project or running npm install

Yes, unfortunately that's how npm works since v6. You can bring it up with npm. If enough people complain, maybe they'll rethink this decision. It is unfortunately actively hostile to build tooling.

Note that you can run npm install --no-audit to suppress them.

I know the transitive dependency has a fix, how can I try it?

If you already know that [email protected] has the fix that you need, but react-scripts hasn't yet updated to it, you can try your luck using that version forcefully. With Yarn, you can do it using resolutions. With npm, you might need to wait for overrides or npm audit fix overrides integration to land first (it's not implemented yet). You can also try npm-force-resolutions.

But can't a build tool have vulnerabilities, too?

Yes, in principle.

The few times there was an actual vulnerability, it was reported separately, and we released patches as soon as it was possible. You can always report real vulnerabilities here, but please do this if you understand the difference between a real vulnerability and a false positive. For example, a "Regex DDOS attack" can never be a real vulnerability for a development-time tool. If you're not sure, you're welcome to ask in this thread, but please keep it brief and to the point so that the thread doesn't become unreadable.

Really, the worst problem is that when there is a real attack poisoning the build toolchain, we won't know about it because it will be buried underneath the 99.9% of false positives.

@jacobbroughton
Copy link

Can't blame people for being concerned, big red '96 high risk vulnuerabilities' is sure to get everyone's attention. Thanks for the update though.

@gaearon
Copy link
Contributor Author

gaearon commented Jul 2, 2021

Yeah it's pretty frustrating. And also understandable because many people don't know what things like "regex ddos" means or even how webapps work in general. So I understand that it looks scary.

@bcagarwal
Copy link

bcagarwal commented Jul 2, 2021

@gaearon Thanks for the update. However, if we have seen/ are seeing there are hundreds of issues with thousands of comments on those 96 vulnerabilities (as you said 'false positives'), this should have been fixed at the very first place. You must agree that people must have wasted their time as well after seeing those vulnerabilities. Also, there are no documentation to categorize those (at least I am not aware of). So, not everyone would know if they are false positives or real vulnerabilities.

Thank you again for your help. Hope this should be fixed soon so that people would not raise same issue again and again.

@gaearon
Copy link
Contributor Author

gaearon commented Jul 2, 2021

However, if we have seen/ are seeing there are hundreds of issues with thousands of comments on those 96 vulnerabilities (as you said 'false positives'), this should have been fixed at the very first place

I'm not sure what you're suggesting. These are not issues with Create React App, but with low-level dependencies of transitive packages. Like I said, they are almost always irrelevant because they don't make sense in the context of a build tool. So there is nothing to "fix". Eventually the low-level dependencies update, and we pull in the updates in the next update. But it's a lot of churn and unnecessary release work just to work around the warnings which are not relevant.

You must agree that people must have wasted their time as well after seeing those vulnerabilities.

I am referring to people's time, not to my time. It is a waste of time for our users. This is why I made this issue for a centralized explanation. We'll also move react-scripts to devDependencies so that these warnings aren't reported by default.

It wasn't our idea to show these warnings. npm added this without considering the ecosystem impact on build tools.

Also, there are no documentation to categorize those (at least I am not aware of).

I don't know what kind of documentation we could provide here. Each CVE is annotated with an explanation of the type of the mistake (e.g. "prototype pollution" or "regex ddos"). These are generally well-described if you look for information about those. But we can't provide you some automated way to understand which ones affect a build tool. To understand this, you need to have an idea of how build tools work, and how the dependency is used. This isn't something we can teach in a day, but if you research each issue yourself for a little bit, you will be able to figure it out. If not, we can help in this thread.

Hope this should be fixed soon so that people would not raise same issue again and again.

I don't know what you want to be fixed. The way npm audit works is fundamentally at odds with the way build tools work. So we'll keep having this issue. But hopefully the move to devDependencies (as this thread suggests) will make it less prominent.

@frankthoeny
Copy link

What if the low-level dependencies of transitive packages are deprecated and there is no fix until those low-level dependencies are updated?

@gaearon
Copy link
Contributor Author

gaearon commented Jul 2, 2021

What if the low-level dependencies of transitive packages are deprecated and there is no fix until those low-level dependencies are updated?

My question is what are you trying to fix, precisely? If the issue is real and affects CRA users, then we'll need to work with the packages up the tree to find who can solve the issue. If the issue does not affect CRA users, then it's up to you how you want to approach it. I don't think it makes sense for the CRA maintainers to solve issues that are out of scope of CRA's usage.

If all you want to fix are npm audit warnings, then the first post in this thread explains how. (Move react-scripts to devDependencies.)

@ako-v
Copy link

ako-v commented Jul 3, 2021

Hi.
I moved react-scripts to devDependencies as you said, but it does not solve the reporting problem, and I still get npm audit warnings.
thank you for your help.

@ptamarit
Copy link

ptamarit commented Jul 3, 2021

Could react-scripts use caret ranges for all its dependencies, or is it too idealistic to assume that the maintainers of these dependencies respect semantic versioning?

@gaearon
Copy link
Contributor Author

gaearon commented Jul 3, 2021

I moved react-scripts to devDependencies as you said, but it does not solve the reporting problem, and I still get npm audit warnings.

Yes, you're right. It appears that it's also necessary to use npm audit --production rather than npm audit.
I amended the original post.

Unfortunately, that probably means that even changing the default won't fix the warnings that people see creating a new project. This is something we (probably?) can't fix without npm or hijacking console output. (Edit: #11176 may help.)

Could react-scripts use caret ranges for all its dependencies, or is it too idealistic to assume that the maintainers of these dependencies respect semantic versioning?

The problem is usually with deeply transitive dependencies, so carets in the middle of the tree usually take care of this anyway. It is pretty risky to use carets at the react-scripts level because it's an integration package, and so it is much easier for something to break accidentally even if a dependency released a patch. It's also not going to help realistically in cases where the transitive dependency fix comes with a major bump, and everything in the middle has to be upgraded.

@bcagarwal
Copy link

To understand this, you need to have an idea of how build tools work, and how the dependency is used. This isn't something we can teach in a day, but if you research each issue yourself for a little bit, you will be able to figure it out. If not, we can help in this thread.

Not everyone is an expert on how the build tools work. Would definitely love to know how CRA build tool works. Appreciate any help.

@gaearon
Copy link
Contributor Author

gaearon commented Jul 3, 2021

@bcagarwal I empathize with this but I really don't know what we should be doing here. I feel out of my depth. npm added these warnings without consulting or working with the build tool ecosystem, and now an untold number of person-years is being spent chasing this security theater. I am beyond frustrated by this, as I imagine you are, but I don't know who and how can solve this.

TimoK added a commit to TimoK/DemoPurchasingApp-frontend that referenced this issue Mar 24, 2024
LeoFidjeland added a commit to Nonhuman-Nonsense/council-of-foods that referenced this issue Apr 24, 2024
LeoFidjeland added a commit to Nonhuman-Nonsense/council-of-foods that referenced this issue Apr 27, 2024
commit c368405
Merge: 8002493 4ad0570
Author: Albin Karlsson <[email protected]>
Date:   Fri Apr 26 21:51:15 2024 +0200

    Merge pull request #15 from Nonhuman-Nonsense/albin

    Sending recording to parent component in dedicated function

commit 4ad0570
Author: albin-karlsson <[email protected]>
Date:   Fri Apr 26 21:50:48 2024 +0200

    Sending recording to parent component in dedicated function

commit 8002493
Merge: e778e4c 1496c5b
Author: Albin Karlsson <[email protected]>
Date:   Fri Apr 26 21:47:26 2024 +0200

    Merge pull request #14 from Nonhuman-Nonsense/albin

    Prep for recording voice

commit 1496c5b
Author: albin-karlsson <[email protected]>
Date:   Fri Apr 26 21:46:42 2024 +0200

    Prep for recording voice

commit e778e4c
Merge: 10aa2fd 60a598b
Author: Albin Karlsson <[email protected]>
Date:   Fri Apr 26 21:36:09 2024 +0200

    Merge pull request #13 from Nonhuman-Nonsense/albin

    Hide conversation controls when last message is playing

commit 60a598b
Author: albin-karlsson <[email protected]>
Date:   Fri Apr 26 21:35:36 2024 +0200

    Hide conversation controls when last message is playing

commit 10aa2fd
Merge: f51c5fb d597423
Author: Albin Karlsson <[email protected]>
Date:   Fri Apr 26 21:13:12 2024 +0200

    Merge pull request #12 from Nonhuman-Nonsense/albin

    Add max index limit to messages to avoid replaying interjection replies

commit d597423
Author: albin-karlsson <[email protected]>
Date:   Fri Apr 26 21:11:51 2024 +0200

    Add max index limit to messages to avoid replaying interjection replies

commit f51c5fb
Merge: 56001e3 0c28951
Author: Albin Karlsson <[email protected]>
Date:   Thu Apr 25 22:29:03 2024 +0200

    Merge pull request #11 from Nonhuman-Nonsense/albin

    Albin

commit 0c28951
Author: albin-karlsson <[email protected]>
Date:   Thu Apr 25 22:25:36 2024 +0200

    Add human interjection

commit ce22340
Author: albin-karlsson <[email protected]>
Date:   Thu Apr 25 20:21:11 2024 +0200

    Fix bug with audio playing if adding new input

commit 16a8ef9
Author: albin-karlsson <[email protected]>
Date:   Thu Apr 25 19:39:23 2024 +0200

    Implement raise hand

commit 8e3c97f
Author: albin-karlsson <[email protected]>
Date:   Thu Apr 25 16:59:08 2024 +0200

    Add functionality for raising hand

commit 56001e3
Merge: d538a5a 8d325e0
Author: Albin Karlsson <[email protected]>
Date:   Thu Apr 25 15:38:21 2024 +0200

    Merge pull request #10 from Nonhuman-Nonsense/albin

    Add new images and improve output playback

commit 8d325e0
Author: albin-karlsson <[email protected]>
Date:   Thu Apr 25 15:37:08 2024 +0200

    Add new images and improve output playback

commit d538a5a
Merge: 386ac9d 2ed74fd
Author: Albin Karlsson <[email protected]>
Date:   Wed Apr 24 21:24:14 2024 +0200

    Merge pull request #9 from Nonhuman-Nonsense/albin

    Improve audio playback and audio/text timing

commit 2ed74fd
Author: albin-karlsson <[email protected]>
Date:   Wed Apr 24 21:23:35 2024 +0200

    Improve audio playback and audio/text timing

commit 386ac9d
Merge: d5dd06b b7bf78e
Author: Leo Fidjeland <[email protected]>
Date:   Wed Apr 24 20:40:44 2024 +0530

    Merge pull request #8 from Nonhuman-Nonsense/Leo

    Scaling 75%, some refactoring etc

commit b7bf78e
Author: Leo Fidjeland <[email protected]>
Date:   Wed Apr 24 20:15:11 2024 +0530

    scaled styles 75%

commit 2249719
Author: Leo Fidjeland <[email protected]>
Date:   Wed Apr 24 19:10:00 2024 +0530

    removed build tool npm audits

    see facebook/create-react-app#11174

commit 03e5d9c
Author: Leo Fidjeland <[email protected]>
Date:   Wed Apr 24 19:09:39 2024 +0530

    fixed compilation warning about missing package

commit d1690b1
Author: Leo Fidjeland <[email protected]>
Date:   Wed Apr 24 18:48:29 2024 +0530

    clicking outside about etc. closes it + some refactor

commit ab2af7c
Author: Leo Fidjeland <[email protected]>
Date:   Wed Apr 24 18:46:55 2024 +0530

    removed visual basic configuration from repo

commit d5dd06b
Merge: 6b297ed 88977a0
Author: Leo Fidjeland <[email protected]>
Date:   Sun Apr 21 16:57:23 2024 +0530

    Merge pull request #7 from Nonhuman-Nonsense/Leo

    hot reloading for server and client via proxy pass

commit 88977a0
Author: Leo Fidjeland <[email protected]>
Date:   Sun Apr 21 16:56:17 2024 +0530

    hot reloading for server and client via proxy pass

commit 6b297ed
Merge: c5c9dca 7467f56
Author: Albin Karlsson <[email protected]>
Date:   Sun Apr 21 10:33:53 2024 +0200

    Merge pull request #6 from Nonhuman-Nonsense/albin

    Add message before meeting is ready

commit 7467f56
Author: albin-karlsson <[email protected]>
Date:   Sun Apr 21 10:16:42 2024 +0200

    Add message before meeting is ready

commit c5c9dca
Merge: c80afc5 bdd5627
Author: Albin Karlsson <[email protected]>
Date:   Sat Apr 20 12:43:00 2024 +0200

    Merge pull request #5 from Nonhuman-Nonsense/albin

    Remove comments

commit bdd5627
Author: albin-karlsson <[email protected]>
Date:   Sat Apr 20 12:42:23 2024 +0200

    Remove comments

commit c80afc5
Merge: cfb1c9e a3e019e
Author: Albin Karlsson <[email protected]>
Date:   Sat Apr 20 12:35:17 2024 +0200

    Merge pull request #4 from Nonhuman-Nonsense/albin

    Albin

commit a3e019e
Author: albin-karlsson <[email protected]>
Date:   Sat Apr 20 12:34:29 2024 +0200

    Link audio playback with current message

commit 63ef0d7
Author: albin-karlsson <[email protected]>
Date:   Sat Apr 20 12:07:38 2024 +0200

    Add audio

commit 86ec6b9
Author: albin-karlsson <[email protected]>
Date:   Sat Apr 20 11:12:42 2024 +0200

    Add skip, pause and resume functionality

commit cfb1c9e
Merge: 5b058ac 9a4bfae
Author: Albin Karlsson <[email protected]>
Date:   Sat Apr 20 10:51:51 2024 +0200

    Merge pull request #3 from Nonhuman-Nonsense/albin

    Albin

commit 9a4bfae
Author: albin-karlsson <[email protected]>
Date:   Sat Apr 20 10:50:28 2024 +0200

    Remove duplicate .gitignore file

commit 2449f9e
Author: albin-karlsson <[email protected]>
Date:   Sat Apr 20 10:29:26 2024 +0200

    Refactor Output and TextOutput

commit 5b058ac
Merge: 21518fe 5ea5b85
Author: Albin Karlsson <[email protected]>
Date:   Fri Apr 19 16:57:31 2024 +0200

    Merge pull request #2 from Nonhuman-Nonsense/albin

    Remove potato from germany

commit 5ea5b85
Author: albin-karlsson <[email protected]>
Date:   Fri Apr 19 16:56:32 2024 +0200

    Remove potato from germany

commit 21518fe
Merge: 32dd360 9452e23
Author: Albin Karlsson <[email protected]>
Date:   Fri Apr 19 16:48:45 2024 +0200

    Merge pull request #1 from Nonhuman-Nonsense/albin

    Add origin to potato

commit 9452e23
Author: albin-karlsson <[email protected]>
Date:   Fri Apr 19 16:46:32 2024 +0200

    Add origin to potato

commit 32dd360
Author: albin-karlsson <[email protected]>
Date:   Fri Apr 19 16:43:59 2024 +0200

    Server updates

commit 6960792
Author: albin-karlsson <[email protected]>
Date:   Fri Apr 19 16:43:12 2024 +0200

    Update from meeting

commit 0a2b979
Author: albin-karlsson <[email protected]>
Date:   Thu Apr 18 13:16:12 2024 +0200

    Always include water in selected foods

commit 048e5fa
Author: albin-karlsson <[email protected]>
Date:   Thu Apr 18 12:57:20 2024 +0200

    Fix initialization issues in TextOutput

commit dc23729
Author: albin-karlsson <[email protected]>
Date:   Thu Apr 18 12:27:42 2024 +0200

    Listen for updated conversations in TextOutput

commit 39ce335
Author: albin-karlsson <[email protected]>
Date:   Thu Apr 18 12:16:23 2024 +0200

    Emit only one message from server and not the whole server

commit 616f42b
Author: albin-karlsson <[email protected]>
Date:   Mon Apr 8 11:52:46 2024 +0200

    Prep prompts and options for sending it to the server

commit 81a2d48
Author: albin-karlsson <[email protected]>
Date:   Mon Apr 8 11:02:50 2024 +0200

    Add options json

commit 5d68e91
Author: Leo Fidjeland <[email protected]>
Date:   Sun Apr 7 14:19:04 2024 +0530

    Made the docker buildable

commit 6e7e1af
Author: albin-karlsson <[email protected]>
Date:   Sat Apr 6 00:19:12 2024 +0200

    Fix passing food object to Council

commit cac43e9
Author: albin-karlsson <[email protected]>
Date:   Sat Apr 6 00:06:39 2024 +0200

    Add foods json

commit 508d5c3
Merge: 0b25dcc 40ccf70
Author: albin-karlsson <[email protected]>
Date:   Fri Apr 5 22:25:07 2024 +0200

    Add files

commit 40ccf70
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 28 17:46:49 2024 +0100

    Finished for today

commit 49b7b8c
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 28 17:12:16 2024 +0100

    Add reset from clicking at navbar title

commit 8f50d5c
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 28 16:08:37 2024 +0100

    Solve bug where topic did not update on settings change

commit 3dda98a
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 28 16:03:18 2024 +0100

    Add functionality to change settings

commit d7f74a0
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 28 14:41:44 2024 +0100

    Work with navbar overlay flow

commit b6c4b51
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 28 12:49:23 2024 +0100

    Add overlay pages

commit f84233e
Author: Albin Karlsson <[email protected]>
Date:   Wed Mar 27 17:58:19 2024 +0100

    Update navbar

commit f7933e7
Author: Albin Karlsson <[email protected]>
Date:   Wed Mar 27 12:01:46 2024 +0100

    Prep for navbar overlay pages

commit 207c5b2
Author: Albin Karlsson <[email protected]>
Date:   Wed Mar 27 11:41:25 2024 +0100

    Refactor Council component

commit 3277ce0
Author: Albin Karlsson <[email protected]>
Date:   Tue Mar 26 18:35:47 2024 +0100

    Add responsive food image style

commit bd16ea7
Author: Albin Karlsson <[email protected]>
Date:   Tue Mar 26 18:14:44 2024 +0100

    Rework parabola function

commit d17c067
Author: Albin Karlsson <[email protected]>
Date:   Tue Mar 26 16:35:13 2024 +0100

    Change backgrounds

commit 82e3875
Author: Albin Karlsson <[email protected]>
Date:   Tue Mar 26 16:18:45 2024 +0100

    Change from name to humanName

commit 27d81cb
Author: Albin Karlsson <[email protected]>
Date:   Tue Mar 26 15:13:37 2024 +0100

    Change from name to human name where applicable

commit 0450c61
Author: Albin Karlsson <[email protected]>
Date:   Tue Mar 26 14:42:01 2024 +0100

    Style Foods page

commit 09935d2
Author: Albin Karlsson <[email protected]>
Date:   Tue Mar 26 13:38:59 2024 +0100

    Manage topics component

commit 5702f01
Author: Albin Karlsson <[email protected]>
Date:   Tue Mar 26 10:16:40 2024 +0100

    Add page flow

commit 5e38be1
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 19:17:41 2024 +0100

    Edit arc

commit 7f73ed5
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 19:14:53 2024 +0100

    Rotate drop shadow

commit bb0e8aa
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 18:46:31 2024 +0100

    Remove old comment

commit 48db961
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 18:46:14 2024 +0100

    Fix drop shadow for even and uneven amount of foods

commit 8650a96
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 16:36:03 2024 +0100

    Capitalize and trim topic

commit 5ea0272
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 16:19:37 2024 +0100

    Autofocus input fields

commit e331084
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 15:48:24 2024 +0100

    Style Council page

commit 32c6778
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 15:23:48 2024 +0100

    Add navbar

commit 17a6ee4
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 14:50:01 2024 +0100

    Add council food images

commit ae65526
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 14:29:16 2024 +0100

    Remove unneeded comments

commit e472154
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 14:27:29 2024 +0100

    Simplify drop shadow direction

commit 4e39335
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 14:19:16 2024 +0100

    Style foods placement

commit c0b6425
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 12:56:35 2024 +0100

    Change background image for council

commit 58508fe
Author: albin-karlsson <[email protected]>
Date:   Sat Mar 23 12:49:07 2024 +0100

    Add enter council flow

commit 5e826fc
Author: albin-karlsson <[email protected]>
Date:   Fri Mar 22 23:37:38 2024 +0100

    Done for today

commit 4db7f87
Author: albin-karlsson <[email protected]>
Date:   Fri Mar 22 23:24:27 2024 +0100

    Fix line break

commit c32b512
Author: albin-karlsson <[email protected]>
Date:   Fri Mar 22 23:23:40 2024 +0100

    Remove unneeded comments

commit a53bf41
Author: albin-karlsson <[email protected]>
Date:   Fri Mar 22 23:22:34 2024 +0100

    Fix topic and select foods validation

commit 06e3a84
Author: albin-karlsson <[email protected]>
Date:   Fri Mar 22 23:00:51 2024 +0100

    Prepare data

commit 66ab3b5
Author: albin-karlsson <[email protected]>
Date:   Thu Mar 21 22:56:29 2024 +0100

    Listen for key down on Setup

commit 696f1be
Author: albin-karlsson <[email protected]>
Date:   Thu Mar 21 22:52:45 2024 +0100

    Add linebreak Setup text

commit 328ca69
Author: albin-karlsson <[email protected]>
Date:   Thu Mar 21 22:49:09 2024 +0100

    Style Enter button

commit dfed07f
Author: albin-karlsson <[email protected]>
Date:   Thu Mar 21 22:42:29 2024 +0100

    Style FoodButtons for Setup

commit 95fd5d4
Author: albin-karlsson <[email protected]>
Date:   Thu Mar 21 22:28:54 2024 +0100

    Move images

commit 7a5ed65
Author: albin-karlsson <[email protected]>
Date:   Thu Mar 21 21:57:02 2024 +0100

    Transition from Welcome to Setup

commit 3315404
Author: albin-karlsson <[email protected]>
Date:   Thu Mar 21 21:46:37 2024 +0100

    Name input component

commit a02396f
Author: albin-karlsson <[email protected]>
Date:   Thu Mar 21 21:23:19 2024 +0100

    Add FontAwesome

commit 18486ae
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 21 18:17:55 2024 +0100

    Update README

commit 4de8af5
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 21 18:16:54 2024 +0100

    Add overlay

commit 9467a82
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 21 16:34:28 2024 +0100

    Update favicon

commit 91df163
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 21 16:12:25 2024 +0100

    Update Dockerfile to use client and server

commit 68b4a89
Author: Albin Karlsson <[email protected]>
Date:   Thu Mar 21 15:38:34 2024 +0100

    Create react app
Exprosed added a commit to Exprosed/bilbord.app that referenced this issue May 1, 2024
Added support for linting and tried to address some npm audit
vulnerability annoyances via instructions at facebook/create-react-app#11174
@mattcarrollcode mattcarrollcode unpinned this issue May 2, 2024
rulojuka added a commit to libridge-club/libridge-frontend that referenced this issue Jun 5, 2024
@fmalk
Copy link

fmalk commented Jul 18, 2024

This is my own override for a freshly minted [email protected]:

"overrides": {
    "svgo": {
      "nth-check": ">=2.0.2"
    },
    "react-scripts": {
      "postcss": ">=8.4.31"
    }
  },

found 0 vulnerabilities

RobertSchueler pushed a commit to jgiven/jgiven-html-app that referenced this issue Aug 26, 2024
react-scripts causes audit warnings that are not relevant since it is a build tool. See here: facebook/create-react-app#11174
RobertSchueler pushed a commit to jgiven/jgiven-html-app that referenced this issue Aug 26, 2024
react-scripts causes audit warnings that are not relevant since it is a build tool. See here: facebook/create-react-app#11174

Signed-off-by: Robert Schüler <[email protected]>
stefanogermano added a commit to DeMaCS-UNICAL/LoIDE-PWA that referenced this issue Sep 22, 2024
edwardzjl added a commit to edwardzjl/chatbot that referenced this issue Sep 24, 2024
edwardzjl added a commit to edwardzjl/chatbot that referenced this issue Sep 24, 2024
do0ori added a commit to do0ori/visual-timer that referenced this issue Oct 6, 2024
…overrides

- Moved `react-scripts` to `devDependencies` to mitigate dependency conflict with `nth-check`.
- Applied overrides to update `nth-check` to a non-vulnerable version (>=2.0.2).
- Updated `postcss` to match the required version (>=8.4.31) in `react-scripts`.
- Adjusted package-lock.json to remove old references to vulnerable packages.

Ref: facebook/create-react-app#11174
FlamingUber added a commit to FlamingUber/skyjo that referenced this issue Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.