Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

React-Scripts dependencies with CVEs #8529

Closed
kevinfealey opened this issue Feb 20, 2020 · 27 comments
Closed

React-Scripts dependencies with CVEs #8529

kevinfealey opened this issue Feb 20, 2020 · 27 comments

Comments

@kevinfealey
Copy link

Is your proposal related to a problem?

Snyk reports vulnerabilities in react-scripts dependency tree:

✗ Medium severity vulnerability found in dot-prop

Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-DOTPROP-543489

Introduced through: [email protected]
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
Fixed in: 5.1.1

✗ Medium severity vulnerability found in @hapi/hoek

Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-HAPIHOEK-548452

Introduced through: [email protected]
From: [email protected] > [email protected] > [email protected] > @hapi/[email protected] > @hapi/[email protected]
From: [email protected] > [email protected] > [email protected] > @hapi/[email protected] > @hapi/[email protected] > @hapi/[email protected]
Fixed in: 8.5.1, 9.0.3

Please note that although the above references [email protected], v3.4.0 has not updated these dependencies and therefore has the same problem.

Describe the solution you'd like

Release a new version of react-scripts that updates to the latest versions of workbox-webpack-plugin and optimize-css-assets-webpack-plugin, which should resolve this issue.

Describe alternatives you've considered

None

Additional context

N/A

@krisgerhard
Copy link

krisgerhard commented Apr 30, 2020

I'll add some from [email protected] (latest)

Description: Prototype Pollution
Info: https://app.snyk.io/vuln/SNYK-JS-YARGSPARSER-560381**

Introduced through: [email protected][email protected][email protected][email protected]

@shmily40686
Copy link

+1 for yargs-parser

@MrMonsk
Copy link

MrMonsk commented May 1, 2020

yargs-parser has had breaking changes in its releases since 16.1.0: https://github.com/yargs/yargs-parser/releases

In the meantime, forcing resolution to an pre-breaking change release of yargs-parser seems to work

@thecaptain10
Copy link

thecaptain10 commented May 6, 2020

any version of react-scripts package without this vulnerability?

@vikramdadwal
Copy link

vikramdadwal commented May 7, 2020

any fix planned for yargs-parser ?

@ianschmitz
Copy link
Contributor

Please file with webpack-dev-server about yargs-parser. There's nothing we can from our end to update their dependencies.

@priegger
Copy link

priegger commented May 8, 2020

There is a webpack-dev-server issue: webpack/webpack-dev-server#2559

@mhassan1
Copy link
Contributor

mhassan1 commented May 8, 2020

FYI: webpack/webpack-dev-server#2581 has been merged and [email protected] has been released with the fix.

I've opened a PR here to upgrade yargs-parser: #8975

@mhassan1
Copy link
Contributor

When might we expect the next release of react-scripts?

@dillu24
Copy link

dillu24 commented May 15, 2020

When might we expect the next release of react-scripts?

Hope that this is soon because a new high priority vulnerability has been raised now:

Denial of Service in the web-pack dependency

@matteofigus
Copy link

matteofigus commented May 18, 2020

@ianschmitz @iansu do you know when the next release will happen? I think it would be nice if we could get security related changes published as soon as possible after being reviewed and merged.

I would love to help if I can. If there are specific tasks needed or technical blockers, I would be happy to be involved and pick up some work?

@sonikamah
Copy link

I am also getting this error for react-scripts > webpack-dev-server > yargs > yargs-parser, Is there any solution to it ? My website build is getting failed because of this error.

                  === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of react-scripts [dev]

Path react-scripts > webpack-dev-server > yargs > yargs-parser

More info https://npmjs.com/advisories/1500

found 1 low severity vulnerability in 1690 scanned packages
1 vulnerability requires manual review. See the full report for details.

@dillu24
Copy link

dillu24 commented May 19, 2020

I am also getting this error for react-scripts > webpack-dev-server > yargs > yargs-parser, Is there any solution to it ? My website build is getting failed because of this error.

                  === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of react-scripts [dev]

Path react-scripts > webpack-dev-server > yargs > yargs-parser

More info https://npmjs.com/advisories/1500

found 1 low severity vulnerability in 1690 scanned packages
1 vulnerability requires manual review. See the full report for details.

Same here. I am tracking this issue here https://github.com/zw627/react-router-github-pages/issues/11

@shahrukhsiddiqui
Copy link

shahrukhsiddiqui commented May 22, 2020

Getting this audit report is their any update on this ?
`
=== npm audit security report ===

                                           Manual Review

Some vulnerabilities require your attention to resolve

Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of react-scripts

Path react-scripts > webpack-dev-server > yargs > yargs-parse

More info https://npmjs.com/advisories/1500

found 1 low severity vulnerability in 1620 scanned packages
1 vulnerability requires manual review. See the full report for details.`

@AbhaysinghBhosale
Copy link

AbhaysinghBhosale commented Jun 15, 2020

Getting the same issue mentioned above, is there any new version of react-script which will fix this issue.

Low             Prototype Pollution                                                                                                                   
Package         yargs-parser                                                                                                                        
Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2                                                                                           
Dependency of   react-scripts [dev]                                                                                                                            
Path            react-scripts > webpack-dev-server > yargs > yargs-parser                                                                                   
More info       https://nodesecurity.io/advisories/1500

@lausellduane
Copy link

I am having the same issue, any updates on this?

@shridharbhandiwad
Copy link

shridharbhandiwad commented Jul 3, 2020

Same issue here.

Getting nearly 5000 low severity vulnerabilities with react-scripts 3.4.1.

found 4982 low severity vulnerabilities in 1641 scanned packages
4982 vulnerabilities require manual review. See the full report for details.

Attached is the vulnerability report.
vulnerability-report.txt

@EoghanBonass
Copy link

Same issue here.

Getting nearly 5000 low severity vulnerabilities with react-scripts 3.4.1.

found 4982 low severity vulnerabilities in 1641 scanned packages 4982 vulnerabilities require manual review. See the full report for details.

Most of these are not related to yargs-parser - they're from a new vulnerability raised by npm for lodash. This PR https://github.com/lodash/lodash/pull/4759 has already been merged to fix the issue, so npm will probably release a patch based on the PR.

@jacobwicks
Copy link

Same issue here.
Getting nearly 5000 low severity vulnerabilities with react-scripts 3.4.1.
found 4982 low severity vulnerabilities in 1641 scanned packages 4982 vulnerabilities require manual review. See the full report for details.

Most of these are not related to yargs-parser - they're from a new vulnerability raised by npm for lodash. This PR https://github.com/lodash/lodash/pull/4759 has already been merged to fix the issue, so npm will probably release a patch based on the PR.

Good to know, I just spent a while trying unsuccessfully to fix this.

@shridharbhandiwad
Copy link

Same issue here.
Getting nearly 5000 low severity vulnerabilities with react-scripts 3.4.1.
found 4982 low severity vulnerabilities in 1641 scanned packages 4982 vulnerabilities require manual review. See the full report for details.

Most of these are not related to yargs-parser - they're from a new vulnerability raised by npm for lodash. This PR https://github.com/lodash/lodash/pull/4759 has already been merged to fix the issue, so npm will probably release a patch based on the PR.

Thanks a lot for the update @EoghanBonass

@EoghanBonass
Copy link

No problem @shridharbhandiwad and @jacobwicks 🙂

The lodash PR was merged into what I assume is a release branch (lodash:4.17.15-post), so this needs to be fully released and then whitelisted by npm for the lodash vulnerability to be resolved.

@dimaqq
Copy link

dimaqq commented Jul 14, 2020

re: workbox, would it makes sense to make it optional?
I feel that there was a time when Google pushed PWA and I think that was perhaps the impetus of adding it in, right?
But today, is it all that common to use web workers?

@iamjatinchauhan
Copy link

when other dependencies are updated the yargs-parser get rollback to its previous older versions.

on updating outdated packages, yargs-parser needs manual audit to update its new patch again.

@jimmyandrade
Copy link

cc @vigomesbr

@schontz
Copy link

schontz commented Sep 8, 2020

  1. When will this be fixed?
  2. Does it actually matter? In other words, does any of the broken lodash or yargs code end up in the final build?

@gaearon
Copy link
Contributor

gaearon commented Oct 7, 2020

There are no and have been no vulnerabilities here that would affect Create React App projects. These are all false positives because none of this code ends up in a build.

This is all, unfortunately, wasted effort.

@gaearon gaearon closed this as completed Oct 7, 2020
@gaearon
Copy link
Contributor

gaearon commented Oct 7, 2020

I’m going to close as there’s no real vulnerabilities and they’re all transitive. This means that if you are determined to spend time on false positives (for example, maybe your company adopted a policy that treats false positives from npm audit as real issues) then you need to file issues in the transitive dependencies. Once those are fixed you need to regenerate the lockfile. There is nothing actionable for Create React App here.

@facebook facebook locked as resolved and limited conversation to collaborators Oct 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests