update vulnerable dependencies

[juliocarneiro]

Describe the bug

Snyk acuse vulnerable dependencies in react-scripts

Did you try recovering your dependencies?

yes

Which terms did you search for in User Guide?

(Write your answer here if relevant.)

Environment

System:
OS: Windows 10 10.0.19044
CPU: (4) x64 Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
Binaries:
Node: 16.13.2 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.17 - C:\Program Files\nodejs\yarn.CMD
npm: 8.5.0 - C:\Program Files\nodejs\npm.CMD
Browsers:
Chrome: Not Found
Edge: Spartan (44.19041.1266.0), Chromium (98.0.1108.50)
Internet Explorer: 11.0.19041.1202
npmPackages:
react: ^17.0.2 => 17.0.2
react-dom: ^17.0.2 => 17.0.2
react-scripts: 5.0.0 => 5.0.0
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

(Write your steps here:)

1. Open cra project in vscode
2. Install Snyk plugin
3. Access snyk tab and play plugin

Expected behavior

There should be no vulnerabilities

Actual behavior

Regular Expression Denial of Service (ReDoS)
Vulnerability | CVE-2021-3803 | CWE-1333 | CVSS 7.5 | SNYK-JS-NTHCHECK-1586032
Vulnerable module
nth-check
Introduced through
[email protected]
Fixed in
[email protected]
Exploit maturity
Not Defined
Detailed paths
Introduced through: [email protected] > [email protected] > @svgr/[email protected] > @svgr/[email protected] > [email protected] > [email protected] > [email protected]
Remediation: Upgrade nth-check to version 2.0.1 or higher. (@svgr/[email protected] to @svgr/[email protected])

---

Regular Expression Denial of Service (ReDoS)
Vulnerability | CVE-2021-33587 | CWE-400 | CVSS 5.3 | SNYK-JS-CSSWHAT-1298035
Vulnerable module
css-what
Introduced through
[email protected]
Fixed in
[email protected]
Exploit maturity
Not Defined
Detailed paths
Introduced through: [email protected] > [email protected] > @svgr/[email protected] > @svgr/[email protected] > [email protected] > [email protected] > [email protected]
Remediation: Upgrade css-what to version 5.0.1 or higher. (@svgr/[email protected] to @svgr/[email protected])

Reproducible demo

https://github.com/juliocarneiro/react-chrome-extension

1. Open project in vscode
2. Install Snyk plugin
3. Access snyk tab and play plugin

[ghost]

This can be fixed by updating the @svgr/webpack dependency in react-scripts to latest version (6.2.1) - https://github.com/facebook/create-react-app/blob/main/packages/react-scripts/package.json#L33

[NapalmCodes]

Any ETA on this? Snyk promoted to a high severity vulnerability. Utilizing overrrides for now.

[struginskij]

Any update?

[satori-code]

Any update?

[OmegaDL2]

Do you have any timetable where this might get fixed?

[samanehsan]

This is triggering a high-severity alert in dependabot as well: https://github.com/DataBiosphere/jade-data-repo-ui/security/dependabot/12

[rishabhdugar]

This is showing as high vulnerability for us and dependency on react-scripts 5.0.0CVE-2021-3803 , any pointers/eta on this will be helpful

[juliocarneiro]

Any update?

[MrAndrew]

If the repo owners won't fix, is there any known workaround?

[exil0867]

We will be switching to ViteJS because of this.

[shirelfanbaum]

Hi, I'm still experiencing this issue, and nothing solves it, is there a solution for it?

[mwolski89]

+1

[GrimzEcho]

Until this is patched, you can override the @svgr/webpack version by adding the following to your package.json.

  "overrides": {
    "react-scripts": {
      "@svgr/webpack": "6.5.1"
    }
  }

You will need to be using a fairly recent version of NPM for this to work (I forget the exact version overrides were introduced). Updating the version of @svgr/webpack is what the PR does, but if you want a more precise override, you can also go deeper and just pin nth-check. See https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides for more info.

[nwoodr94]

I use this web utility to update my package.json before we go into production, and am still finding that the vuln exists in the latest version, now ^5.0.1

This matters because we can't deploy vulnerabilities.

npm list

+-- [email protected]

npm audit

npm audit report

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install [email protected], which is a breaking change

Maybe this will get fixed after the tech recession, lol

This worked for me

Until this is patched, you can override the @svgr/webpack version by adding the following to your package.json.

  "overrides": {
    "react-scripts": {
      "@svgr/webpack": "6.5.1"
    }
  }

You will need to be using a fairly recent version of NPM for this to work (I forget the exact version overrides were introduced). Updating the version of @svgr/webpack is what the PR does, but if you want a more precise override, you can also go deeper and just pin nth-check. See https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides for more info.