-
-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
React-Scripts dependencies with CVEs #8529
Comments
I'll add some from [email protected] (latest) Description: Prototype Pollution Introduced through: [email protected] › [email protected] › [email protected] › [email protected] |
+1 for yargs-parser |
In the meantime, forcing resolution to an pre-breaking change release of yargs-parser seems to work |
any version of react-scripts package without this vulnerability? |
any fix planned for |
Please file with webpack-dev-server about |
There is a webpack-dev-server issue: webpack/webpack-dev-server#2559 |
FYI: webpack/webpack-dev-server#2581 has been merged and I've opened a PR here to upgrade |
When might we expect the next release of |
Hope that this is soon because a new high priority vulnerability has been raised now:
|
@ianschmitz @iansu do you know when the next release will happen? I think it would be nice if we could get security related changes published as soon as possible after being reviewed and merged. I would love to help if I can. If there are specific tasks needed or technical blockers, I would be happy to be involved and pick up some work? |
I am also getting this error for react-scripts > webpack-dev-server > yargs > yargs-parser, Is there any solution to it ? My website build is getting failed because of this error.
Low Prototype Pollution Package yargs-parser Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 Dependency of react-scripts [dev] Path react-scripts > webpack-dev-server > yargs > yargs-parser More info https://npmjs.com/advisories/1500 found 1 low severity vulnerability in 1690 scanned packages |
Same here. I am tracking this issue here https://github.com/zw627/react-router-github-pages/issues/11 |
Getting this audit report is their any update on this ?
Some vulnerabilities require your attention to resolve Visit https://go.npm.me/audit-guide for additional guidance Low Prototype Pollution Package yargs-parser Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 Dependency of react-scripts Path react-scripts > webpack-dev-server > yargs > yargs-parse More info https://npmjs.com/advisories/1500 found 1 low severity vulnerability in 1620 scanned packages |
Getting the same issue mentioned above, is there any new version of react-script which will fix this issue.
|
I am having the same issue, any updates on this? |
Same issue here. Getting nearly 5000 low severity vulnerabilities with react-scripts 3.4.1. found 4982 low severity vulnerabilities in 1641 scanned packages Attached is the vulnerability report. |
Most of these are not related to |
Good to know, I just spent a while trying unsuccessfully to fix this. |
Thanks a lot for the update @EoghanBonass |
No problem @shridharbhandiwad and @jacobwicks 🙂 The lodash PR was merged into what I assume is a release branch ( |
re: workbox, would it makes sense to make it optional? |
when other dependencies are updated the yargs-parser get rollback to its previous older versions. on updating outdated packages, yargs-parser needs manual audit to update its new patch again. |
cc @vigomesbr |
|
There are no and have been no vulnerabilities here that would affect Create React App projects. These are all false positives because none of this code ends up in a build. This is all, unfortunately, wasted effort. |
I’m going to close as there’s no real vulnerabilities and they’re all transitive. This means that if you are determined to spend time on false positives (for example, maybe your company adopted a policy that treats false positives from |
Is your proposal related to a problem?
Snyk reports vulnerabilities in react-scripts dependency tree:
✗ Medium severity vulnerability found in dot-prop
Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-DOTPROP-543489
Introduced through: [email protected]
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
Fixed in: 5.1.1
✗ Medium severity vulnerability found in @hapi/hoek
Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-HAPIHOEK-548452
Introduced through: [email protected]
From: [email protected] > [email protected] > [email protected] > @hapi/[email protected] > @hapi/[email protected]
From: [email protected] > [email protected] > [email protected] > @hapi/[email protected] > @hapi/[email protected] > @hapi/[email protected]
Fixed in: 8.5.1, 9.0.3
Please note that although the above references [email protected], v3.4.0 has not updated these dependencies and therefore has the same problem.
Describe the solution you'd like
Release a new version of react-scripts that updates to the latest versions of workbox-webpack-plugin and optimize-css-assets-webpack-plugin, which should resolve this issue.
Describe alternatives you've considered
None
Additional context
N/A
The text was updated successfully, but these errors were encountered: