-
-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Help, npm audit
says I have a vulnerability in react-scripts!
#11174
Comments
Can't blame people for being concerned, big red '96 high risk vulnuerabilities' is sure to get everyone's attention. Thanks for the update though. |
Yeah it's pretty frustrating. And also understandable because many people don't know what things like "regex ddos" means or even how webapps work in general. So I understand that it looks scary. |
@gaearon Thanks for the update. However, if we have seen/ are seeing there are hundreds of issues with thousands of comments on those 96 vulnerabilities (as you said 'false positives'), this should have been fixed at the very first place. You must agree that people must have wasted their time as well after seeing those vulnerabilities. Also, there are no documentation to categorize those (at least I am not aware of). So, not everyone would know if they are false positives or real vulnerabilities. Thank you again for your help. Hope this should be fixed soon so that people would not raise same issue again and again. |
I'm not sure what you're suggesting. These are not issues with Create React App, but with low-level dependencies of transitive packages. Like I said, they are almost always irrelevant because they don't make sense in the context of a build tool. So there is nothing to "fix". Eventually the low-level dependencies update, and we pull in the updates in the next update. But it's a lot of churn and unnecessary release work just to work around the warnings which are not relevant.
I am referring to people's time, not to my time. It is a waste of time for our users. This is why I made this issue for a centralized explanation. We'll also move It wasn't our idea to show these warnings.
I don't know what kind of documentation we could provide here. Each CVE is annotated with an explanation of the type of the mistake (e.g. "prototype pollution" or "regex ddos"). These are generally well-described if you look for information about those. But we can't provide you some automated way to understand which ones affect a build tool. To understand this, you need to have an idea of how build tools work, and how the dependency is used. This isn't something we can teach in a day, but if you research each issue yourself for a little bit, you will be able to figure it out. If not, we can help in this thread.
I don't know what you want to be fixed. The way |
What if the low-level dependencies of transitive packages are deprecated and there is no fix until those low-level dependencies are updated? |
My question is what are you trying to fix, precisely? If the issue is real and affects CRA users, then we'll need to work with the packages up the tree to find who can solve the issue. If the issue does not affect CRA users, then it's up to you how you want to approach it. I don't think it makes sense for the CRA maintainers to solve issues that are out of scope of CRA's usage. If all you want to fix are |
Hi. |
Could |
Yes, you're right. It appears that it's also necessary to use Unfortunately, that probably means that even changing the default won't fix the warnings that people see creating a new project. This is something we (probably?) can't fix without npm or hijacking console output. (Edit: #11176 may help.)
The problem is usually with deeply transitive dependencies, so carets in the middle of the tree usually take care of this anyway. It is pretty risky to use carets at the |
Not everyone is an expert on how the build tools work. Would definitely love to know how CRA build tool works. Appreciate any help. |
@bcagarwal I empathize with this but I really don't know what we should be doing here. I feel out of my depth. npm added these warnings without consulting or working with the build tool ecosystem, and now an untold number of person-years is being spent chasing this security theater. I am beyond frustrated by this, as I imagine you are, but I don't know who and how can solve this. |
commit c368405 Merge: 8002493 4ad0570 Author: Albin Karlsson <[email protected]> Date: Fri Apr 26 21:51:15 2024 +0200 Merge pull request #15 from Nonhuman-Nonsense/albin Sending recording to parent component in dedicated function commit 4ad0570 Author: albin-karlsson <[email protected]> Date: Fri Apr 26 21:50:48 2024 +0200 Sending recording to parent component in dedicated function commit 8002493 Merge: e778e4c 1496c5b Author: Albin Karlsson <[email protected]> Date: Fri Apr 26 21:47:26 2024 +0200 Merge pull request #14 from Nonhuman-Nonsense/albin Prep for recording voice commit 1496c5b Author: albin-karlsson <[email protected]> Date: Fri Apr 26 21:46:42 2024 +0200 Prep for recording voice commit e778e4c Merge: 10aa2fd 60a598b Author: Albin Karlsson <[email protected]> Date: Fri Apr 26 21:36:09 2024 +0200 Merge pull request #13 from Nonhuman-Nonsense/albin Hide conversation controls when last message is playing commit 60a598b Author: albin-karlsson <[email protected]> Date: Fri Apr 26 21:35:36 2024 +0200 Hide conversation controls when last message is playing commit 10aa2fd Merge: f51c5fb d597423 Author: Albin Karlsson <[email protected]> Date: Fri Apr 26 21:13:12 2024 +0200 Merge pull request #12 from Nonhuman-Nonsense/albin Add max index limit to messages to avoid replaying interjection replies commit d597423 Author: albin-karlsson <[email protected]> Date: Fri Apr 26 21:11:51 2024 +0200 Add max index limit to messages to avoid replaying interjection replies commit f51c5fb Merge: 56001e3 0c28951 Author: Albin Karlsson <[email protected]> Date: Thu Apr 25 22:29:03 2024 +0200 Merge pull request #11 from Nonhuman-Nonsense/albin Albin commit 0c28951 Author: albin-karlsson <[email protected]> Date: Thu Apr 25 22:25:36 2024 +0200 Add human interjection commit ce22340 Author: albin-karlsson <[email protected]> Date: Thu Apr 25 20:21:11 2024 +0200 Fix bug with audio playing if adding new input commit 16a8ef9 Author: albin-karlsson <[email protected]> Date: Thu Apr 25 19:39:23 2024 +0200 Implement raise hand commit 8e3c97f Author: albin-karlsson <[email protected]> Date: Thu Apr 25 16:59:08 2024 +0200 Add functionality for raising hand commit 56001e3 Merge: d538a5a 8d325e0 Author: Albin Karlsson <[email protected]> Date: Thu Apr 25 15:38:21 2024 +0200 Merge pull request #10 from Nonhuman-Nonsense/albin Add new images and improve output playback commit 8d325e0 Author: albin-karlsson <[email protected]> Date: Thu Apr 25 15:37:08 2024 +0200 Add new images and improve output playback commit d538a5a Merge: 386ac9d 2ed74fd Author: Albin Karlsson <[email protected]> Date: Wed Apr 24 21:24:14 2024 +0200 Merge pull request #9 from Nonhuman-Nonsense/albin Improve audio playback and audio/text timing commit 2ed74fd Author: albin-karlsson <[email protected]> Date: Wed Apr 24 21:23:35 2024 +0200 Improve audio playback and audio/text timing commit 386ac9d Merge: d5dd06b b7bf78e Author: Leo Fidjeland <[email protected]> Date: Wed Apr 24 20:40:44 2024 +0530 Merge pull request #8 from Nonhuman-Nonsense/Leo Scaling 75%, some refactoring etc commit b7bf78e Author: Leo Fidjeland <[email protected]> Date: Wed Apr 24 20:15:11 2024 +0530 scaled styles 75% commit 2249719 Author: Leo Fidjeland <[email protected]> Date: Wed Apr 24 19:10:00 2024 +0530 removed build tool npm audits see facebook/create-react-app#11174 commit 03e5d9c Author: Leo Fidjeland <[email protected]> Date: Wed Apr 24 19:09:39 2024 +0530 fixed compilation warning about missing package commit d1690b1 Author: Leo Fidjeland <[email protected]> Date: Wed Apr 24 18:48:29 2024 +0530 clicking outside about etc. closes it + some refactor commit ab2af7c Author: Leo Fidjeland <[email protected]> Date: Wed Apr 24 18:46:55 2024 +0530 removed visual basic configuration from repo commit d5dd06b Merge: 6b297ed 88977a0 Author: Leo Fidjeland <[email protected]> Date: Sun Apr 21 16:57:23 2024 +0530 Merge pull request #7 from Nonhuman-Nonsense/Leo hot reloading for server and client via proxy pass commit 88977a0 Author: Leo Fidjeland <[email protected]> Date: Sun Apr 21 16:56:17 2024 +0530 hot reloading for server and client via proxy pass commit 6b297ed Merge: c5c9dca 7467f56 Author: Albin Karlsson <[email protected]> Date: Sun Apr 21 10:33:53 2024 +0200 Merge pull request #6 from Nonhuman-Nonsense/albin Add message before meeting is ready commit 7467f56 Author: albin-karlsson <[email protected]> Date: Sun Apr 21 10:16:42 2024 +0200 Add message before meeting is ready commit c5c9dca Merge: c80afc5 bdd5627 Author: Albin Karlsson <[email protected]> Date: Sat Apr 20 12:43:00 2024 +0200 Merge pull request #5 from Nonhuman-Nonsense/albin Remove comments commit bdd5627 Author: albin-karlsson <[email protected]> Date: Sat Apr 20 12:42:23 2024 +0200 Remove comments commit c80afc5 Merge: cfb1c9e a3e019e Author: Albin Karlsson <[email protected]> Date: Sat Apr 20 12:35:17 2024 +0200 Merge pull request #4 from Nonhuman-Nonsense/albin Albin commit a3e019e Author: albin-karlsson <[email protected]> Date: Sat Apr 20 12:34:29 2024 +0200 Link audio playback with current message commit 63ef0d7 Author: albin-karlsson <[email protected]> Date: Sat Apr 20 12:07:38 2024 +0200 Add audio commit 86ec6b9 Author: albin-karlsson <[email protected]> Date: Sat Apr 20 11:12:42 2024 +0200 Add skip, pause and resume functionality commit cfb1c9e Merge: 5b058ac 9a4bfae Author: Albin Karlsson <[email protected]> Date: Sat Apr 20 10:51:51 2024 +0200 Merge pull request #3 from Nonhuman-Nonsense/albin Albin commit 9a4bfae Author: albin-karlsson <[email protected]> Date: Sat Apr 20 10:50:28 2024 +0200 Remove duplicate .gitignore file commit 2449f9e Author: albin-karlsson <[email protected]> Date: Sat Apr 20 10:29:26 2024 +0200 Refactor Output and TextOutput commit 5b058ac Merge: 21518fe 5ea5b85 Author: Albin Karlsson <[email protected]> Date: Fri Apr 19 16:57:31 2024 +0200 Merge pull request #2 from Nonhuman-Nonsense/albin Remove potato from germany commit 5ea5b85 Author: albin-karlsson <[email protected]> Date: Fri Apr 19 16:56:32 2024 +0200 Remove potato from germany commit 21518fe Merge: 32dd360 9452e23 Author: Albin Karlsson <[email protected]> Date: Fri Apr 19 16:48:45 2024 +0200 Merge pull request #1 from Nonhuman-Nonsense/albin Add origin to potato commit 9452e23 Author: albin-karlsson <[email protected]> Date: Fri Apr 19 16:46:32 2024 +0200 Add origin to potato commit 32dd360 Author: albin-karlsson <[email protected]> Date: Fri Apr 19 16:43:59 2024 +0200 Server updates commit 6960792 Author: albin-karlsson <[email protected]> Date: Fri Apr 19 16:43:12 2024 +0200 Update from meeting commit 0a2b979 Author: albin-karlsson <[email protected]> Date: Thu Apr 18 13:16:12 2024 +0200 Always include water in selected foods commit 048e5fa Author: albin-karlsson <[email protected]> Date: Thu Apr 18 12:57:20 2024 +0200 Fix initialization issues in TextOutput commit dc23729 Author: albin-karlsson <[email protected]> Date: Thu Apr 18 12:27:42 2024 +0200 Listen for updated conversations in TextOutput commit 39ce335 Author: albin-karlsson <[email protected]> Date: Thu Apr 18 12:16:23 2024 +0200 Emit only one message from server and not the whole server commit 616f42b Author: albin-karlsson <[email protected]> Date: Mon Apr 8 11:52:46 2024 +0200 Prep prompts and options for sending it to the server commit 81a2d48 Author: albin-karlsson <[email protected]> Date: Mon Apr 8 11:02:50 2024 +0200 Add options json commit 5d68e91 Author: Leo Fidjeland <[email protected]> Date: Sun Apr 7 14:19:04 2024 +0530 Made the docker buildable commit 6e7e1af Author: albin-karlsson <[email protected]> Date: Sat Apr 6 00:19:12 2024 +0200 Fix passing food object to Council commit cac43e9 Author: albin-karlsson <[email protected]> Date: Sat Apr 6 00:06:39 2024 +0200 Add foods json commit 508d5c3 Merge: 0b25dcc 40ccf70 Author: albin-karlsson <[email protected]> Date: Fri Apr 5 22:25:07 2024 +0200 Add files commit 40ccf70 Author: Albin Karlsson <[email protected]> Date: Thu Mar 28 17:46:49 2024 +0100 Finished for today commit 49b7b8c Author: Albin Karlsson <[email protected]> Date: Thu Mar 28 17:12:16 2024 +0100 Add reset from clicking at navbar title commit 8f50d5c Author: Albin Karlsson <[email protected]> Date: Thu Mar 28 16:08:37 2024 +0100 Solve bug where topic did not update on settings change commit 3dda98a Author: Albin Karlsson <[email protected]> Date: Thu Mar 28 16:03:18 2024 +0100 Add functionality to change settings commit d7f74a0 Author: Albin Karlsson <[email protected]> Date: Thu Mar 28 14:41:44 2024 +0100 Work with navbar overlay flow commit b6c4b51 Author: Albin Karlsson <[email protected]> Date: Thu Mar 28 12:49:23 2024 +0100 Add overlay pages commit f84233e Author: Albin Karlsson <[email protected]> Date: Wed Mar 27 17:58:19 2024 +0100 Update navbar commit f7933e7 Author: Albin Karlsson <[email protected]> Date: Wed Mar 27 12:01:46 2024 +0100 Prep for navbar overlay pages commit 207c5b2 Author: Albin Karlsson <[email protected]> Date: Wed Mar 27 11:41:25 2024 +0100 Refactor Council component commit 3277ce0 Author: Albin Karlsson <[email protected]> Date: Tue Mar 26 18:35:47 2024 +0100 Add responsive food image style commit bd16ea7 Author: Albin Karlsson <[email protected]> Date: Tue Mar 26 18:14:44 2024 +0100 Rework parabola function commit d17c067 Author: Albin Karlsson <[email protected]> Date: Tue Mar 26 16:35:13 2024 +0100 Change backgrounds commit 82e3875 Author: Albin Karlsson <[email protected]> Date: Tue Mar 26 16:18:45 2024 +0100 Change from name to humanName commit 27d81cb Author: Albin Karlsson <[email protected]> Date: Tue Mar 26 15:13:37 2024 +0100 Change from name to human name where applicable commit 0450c61 Author: Albin Karlsson <[email protected]> Date: Tue Mar 26 14:42:01 2024 +0100 Style Foods page commit 09935d2 Author: Albin Karlsson <[email protected]> Date: Tue Mar 26 13:38:59 2024 +0100 Manage topics component commit 5702f01 Author: Albin Karlsson <[email protected]> Date: Tue Mar 26 10:16:40 2024 +0100 Add page flow commit 5e38be1 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 19:17:41 2024 +0100 Edit arc commit 7f73ed5 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 19:14:53 2024 +0100 Rotate drop shadow commit bb0e8aa Author: albin-karlsson <[email protected]> Date: Sat Mar 23 18:46:31 2024 +0100 Remove old comment commit 48db961 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 18:46:14 2024 +0100 Fix drop shadow for even and uneven amount of foods commit 8650a96 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 16:36:03 2024 +0100 Capitalize and trim topic commit 5ea0272 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 16:19:37 2024 +0100 Autofocus input fields commit e331084 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 15:48:24 2024 +0100 Style Council page commit 32c6778 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 15:23:48 2024 +0100 Add navbar commit 17a6ee4 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 14:50:01 2024 +0100 Add council food images commit ae65526 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 14:29:16 2024 +0100 Remove unneeded comments commit e472154 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 14:27:29 2024 +0100 Simplify drop shadow direction commit 4e39335 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 14:19:16 2024 +0100 Style foods placement commit c0b6425 Author: albin-karlsson <[email protected]> Date: Sat Mar 23 12:56:35 2024 +0100 Change background image for council commit 58508fe Author: albin-karlsson <[email protected]> Date: Sat Mar 23 12:49:07 2024 +0100 Add enter council flow commit 5e826fc Author: albin-karlsson <[email protected]> Date: Fri Mar 22 23:37:38 2024 +0100 Done for today commit 4db7f87 Author: albin-karlsson <[email protected]> Date: Fri Mar 22 23:24:27 2024 +0100 Fix line break commit c32b512 Author: albin-karlsson <[email protected]> Date: Fri Mar 22 23:23:40 2024 +0100 Remove unneeded comments commit a53bf41 Author: albin-karlsson <[email protected]> Date: Fri Mar 22 23:22:34 2024 +0100 Fix topic and select foods validation commit 06e3a84 Author: albin-karlsson <[email protected]> Date: Fri Mar 22 23:00:51 2024 +0100 Prepare data commit 66ab3b5 Author: albin-karlsson <[email protected]> Date: Thu Mar 21 22:56:29 2024 +0100 Listen for key down on Setup commit 696f1be Author: albin-karlsson <[email protected]> Date: Thu Mar 21 22:52:45 2024 +0100 Add linebreak Setup text commit 328ca69 Author: albin-karlsson <[email protected]> Date: Thu Mar 21 22:49:09 2024 +0100 Style Enter button commit dfed07f Author: albin-karlsson <[email protected]> Date: Thu Mar 21 22:42:29 2024 +0100 Style FoodButtons for Setup commit 95fd5d4 Author: albin-karlsson <[email protected]> Date: Thu Mar 21 22:28:54 2024 +0100 Move images commit 7a5ed65 Author: albin-karlsson <[email protected]> Date: Thu Mar 21 21:57:02 2024 +0100 Transition from Welcome to Setup commit 3315404 Author: albin-karlsson <[email protected]> Date: Thu Mar 21 21:46:37 2024 +0100 Name input component commit a02396f Author: albin-karlsson <[email protected]> Date: Thu Mar 21 21:23:19 2024 +0100 Add FontAwesome commit 18486ae Author: Albin Karlsson <[email protected]> Date: Thu Mar 21 18:17:55 2024 +0100 Update README commit 4de8af5 Author: Albin Karlsson <[email protected]> Date: Thu Mar 21 18:16:54 2024 +0100 Add overlay commit 9467a82 Author: Albin Karlsson <[email protected]> Date: Thu Mar 21 16:34:28 2024 +0100 Update favicon commit 91df163 Author: Albin Karlsson <[email protected]> Date: Thu Mar 21 16:12:25 2024 +0100 Update Dockerfile to use client and server commit 68b4a89 Author: Albin Karlsson <[email protected]> Date: Thu Mar 21 15:38:34 2024 +0100 Create react app
Added support for linting and tried to address some npm audit vulnerability annoyances via instructions at facebook/create-react-app#11174
This is my own override for a freshly minted
|
react-scripts causes audit warnings that are not relevant since it is a build tool. See here: facebook/create-react-app#11174
react-scripts causes audit warnings that are not relevant since it is a build tool. See here: facebook/create-react-app#11174 Signed-off-by: Robert Schüler <[email protected]>
As suggested in facebook/create-react-app#11174
See this issue <facebook/create-react-app#11174> for details.
See this issue <facebook/create-react-app#11174> for details.
…overrides - Moved `react-scripts` to `devDependencies` to mitigate dependency conflict with `nth-check`. - Applied overrides to update `nth-check` to a non-vulnerable version (>=2.0.2). - Updated `postcss` to match the required version (>=8.4.31) in `react-scripts`. - Adjusted package-lock.json to remove old references to vulnerable packages. Ref: facebook/create-react-app#11174
npm audit
is broken for front-end tooling by designBad news, but it's true. See here for a longer explanation.
If you think you found a real vulnerability in
react-scripts
If you know that it affects CRA users because you understand what the vulnerability is, report it here as soon as possible.
If you're not sure but your CI is failing or you're worried about what
npm audit
tells you, keep reading.Do not file new issues based on
npm audit
if you don't 100% understand the problem.They will be closed (see why below). If you really need to discuss it, reply in this thread instead.
npm audit
says there's a warning about vulnerabilities in my projectOpen
package.json
. You will find this:Take
react-scripts
and move it todevDependencies
(if you don't have it, create it):Then, ensure you run
npm audit --production
rather thannpm audit.
This will fix your warnings.
But isn't this just ignoring the problem?
No.
Create React App is a build tool. In other words, it doesn't produce a running Node application. It runs at the build time during development, and produces static assets.
However,
npm audit
is designed for Node apps so it flags issues that can occur when you run actual Node code in production. That is categorically not how Create React App works.This means that the overwhelming amount of "vulnerability" reports we receive for transitive dependencies are false positives. Despite literally a hundred issues with thousands of comments about
npm audit
warnings inreact-scripts
, throughout the years not a single one of them (to the best of our knowledge) has ever been a real vulnerability for CRA users.This is a huge waste of everyone's time. Mostly of yours, but of ours too.
But I still see these warnings when creating a new project or running
npm install
Yes, unfortunately that's how
npm
works since v6. You can bring it up with npm. If enough people complain, maybe they'll rethink this decision. It is unfortunately actively hostile to build tooling.Note that you can run
npm install --no-audit
to suppress them.I know the transitive dependency has a fix, how can I try it?
If you already know that
[email protected]
has the fix that you need, butreact-scripts
hasn't yet updated to it, you can try your luck using that version forcefully. With Yarn, you can do it using resolutions. With npm, you might need to wait for overrides or npm audit fix overrides integration to land first (it's not implemented yet). You can also try npm-force-resolutions.But can't a build tool have vulnerabilities, too?
Yes, in principle.
The few times there was an actual vulnerability, it was reported separately, and we released patches as soon as it was possible. You can always report real vulnerabilities here, but please do this if you understand the difference between a real vulnerability and a false positive. For example, a "Regex DDOS attack" can never be a real vulnerability for a development-time tool. If you're not sure, you're welcome to ask in this thread, but please keep it brief and to the point so that the thread doesn't become unreadable.
Really, the worst problem is that when there is a real attack poisoning the build toolchain, we won't know about it because it will be buried underneath the 99.9% of false positives.
The text was updated successfully, but these errors were encountered: