Vulnerability in react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > css-select > nth-check & css-what

[im-deepakk]

Describe the bug

Upgrade react-scripts to have the @@svgr/webpack@6.* as the dependency. As the current @svgr/[email protected] has following vulnerable versions as dependency.

nth-check - https://security.snyk.io/vuln/SNYK-JS-NTHCHECK-1586032
css-what - https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-1298035

Below is the dependency tree:

+-- [email protected]
├─┬ @svgr/[email protected]
│ └─┬ @svgr/[email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
└──[email protected]

Environment

Environment Info:
current version of create-react-app: 5.0.0
System:
OS: Windows 7 6.1.7601
CPU: (8) x64 Intel(R) Xeon(R) CPU E3-1585L v5 @ 3.00GHz
Binaries:
Node: 14.17.6 - ...\tools\nodejs14-win7\latest\node.EXE
Yarn: Not Found
npm: 8.2.0 - ...\data\npm14\npm.CMD
Browsers:
Chrome: 97.0.4692.71
Internet Explorer: 11.0.9600.20139

Steps to reproduce

npx create-react-app

Expected behavior

The react-scripts should not be having any dependency on vulnerable components.

Actual behavior

The dependent package @svgr/webpack 5.5.0 refers to vulnerable components, as per the author the v6 has the fix for the same.

[Vishal-Mayal]

Hi, any updates on when the package will be updated?
Thank you.

[PraveenkumarD2004]

Hi, I am also facing the same issue. When I upgrading react-scripts to 5.0.0 version. While npm audit I am getting the same Vulnerability Error.

Error:
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts

FYI, Upgrade react-scripts to have the @@svgr/webpack@6. as the dependency. As the current @svgr/[email protected] has following vulnerable versions as dependency.

Thanks & Regards,
Praveen Kumar D.

[palminha]

same here...

% npm audit
# npm audit report

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 moderate severity vulnerabilities

I'm using react-scripts 5.0.0

% npm list react-scripts
[email protected] /Users/palmito/Development/risk-util-tool/webapp
└── [email protected]

[palminha]

the vulnerable dependency is dependent of [email protected]

% npm list nth-check
create-react-app@ /Users/palmito/Development/create-react-app
├─┬ cra-docs@ -> ./docusaurus/website
│ └─┬ @docusaurus/[email protected]
│   └─┬ @slorber/[email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         └── [email protected]
├─┬ [email protected] -> ./packages/react-scripts
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         └── [email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]

[palminha]

The vulnerable dependency is caused by svg-term-cli
project seems to be abandoned for a couple of years (a lot of dependabot pull-requests getting rotten...)

[palminha]

@marionebl any feedback on svg-term-cli ?

[slowWriting]

Have you guys read this stickied issue?
#11174

[palminha]

moving the dependency to dev makes the vulnerability only dependent of svgr/webpack

% npm list nth-check
[email protected] /Users/palmito/Development/risk-util-tool/webapp
└─┬ [email protected]
  ├─┬ @svgr/[email protected]
  │ └─┬ @svgr/[email protected]
  │   └─┬ [email protected]
  │     └─┬ [email protected]
  │       └── [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected]

followed-up here #12146

[PraveenkumarD2004]

Hi, any updates on when the package will be updated?
Thanks & Regards,
Praveen Kumar D.

[Stunext]

Read this: #11174 ...then wait, there are more important things than fixing false positives. It will be fixed at the next scheduled update or when a critical bug appears.

[Githubbubber]

Read this: #11174 ...then wait, there are more important things than fixing false positives. It will be fixed at the next scheduled update or when a critical bug appears.

Fair enough

[JY1148]

same issue.

npm run build, failed to compile.
npm audit fix, got this:

[vishal-bypt]

Is there any ETA for nth-check & css-what vulnerabilities?

[thomazcapra]

While this issue is not fixed, I did a workaround to solve it.

The problem seems to be starting with the lib @svgr/webpack 4.0.0 - 5.0.0.

If you are using node >= 16, you can install @svgr/webpack by yourself, in my case I installed the version: "^6.2.1" as devDependency.

After that, you should create a overrides (or resolutions if you are using yarn) section in your package.json and include the line: @svgr/webpack": "$@svgr/webpack. (in my case, I already had the react and react-dom).

And last, you must remove your node_modules folder and your package-lock.json, and execute npm install.

This worked for me :)

[irangar]

And last, you must remove your node_modules folder and your package-lock.json, and execute npm install.

thanks, bro

[miotegui]

And last, you must remove your node_modules folder and your package-lock.json, and execute npm install.

i was getting mad, thanks bro! it worked perfect.

if there's a newbie like me there, you can install the dependency with this line:

npm install @svgr/webpack --save-dev

[GlennVialli]

While this issue is not fixed, I did a workaround to solve it.

The problem seems to be starting with the lib @svgr/webpack 4.0.0 - 5.0.0.

If you are using node >= 16, you can install @svgr/webpack by yourself, in my case I installed the version: "^6.2.1" as devDependency.

After that, you should create a overrides (or resolutions if you are using yarn) section in your package.json and include the line: @svgr/webpack": "$@svgr/webpack. (in my case, I already had the react and react-dom).

And last, you must remove your node_modules folder and your package-lock.json, and execute npm install.

This worked for me :)

In my case,
my overrides in package.json should be

"overrides": {
"@svgr/webpack": "^6.2.1"
},

[thomazcapra]

In my case, my overrides in package.json should be

"overrides": { "@svgr/webpack": "^6.2.1" },

"To make this limitation easier to deal with, overrides may also be defined as a reference to a spec for a direct dependency by prefixing the name of the package you wish the version to match with a $"

https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

[FernandoPerezLara]

Best solution:

"overrides": {
  "nth-check": "2.0.1"
},

[orsharab-yy]

Is there any ETA for this?

[struginskij]

Any update?

[chandrajitsatapathy]

And last, you must remove your node_modules folder and your package-lock.json, and execute npm install.

i was getting mad, thanks bro! it worked perfect.

if there's a newbie like me there, you can install the dependency with this line:

npm install @svgr/webpack --save-dev

npm install --save-dev webpack@ edit the version to the required one.

[taimoorimran]

Any update?

[callain]

If you move react-scripts in "devDependencies", npm audit --production do not display any vulnerabilities.

The best explanation of why everything is in "dependencies" is here.
https://stackoverflow.com/questions/44868453/create-react-app-install-devdepencies-in-dependencies-section/44872787#44872787

But in fact, it matters when running npm audit --production because devDependencies are ignored.

[gaearon]

#11647 (comment)