Skip to content

Critical vulnerability in react-scripts package due to the package version is not updated #11523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vveselov opened this issue Oct 8, 2021 · 7 comments
Open

Critical vulnerability in react-scripts package due to the package version is not updated #11523

vveselov opened this issue Oct 8, 2021 · 7 comments
Labels
issue: bug report needs triage

Comments

@vveselov
Copy link

vveselov commented Oct 8, 2021
edited
Loading

Describe the bug

Yarn audit command shows critical vulnerability for immer package:

 my-app % yarn audit --level critical
yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in immer                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=9.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > react-dev-utils > immer                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1002492                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
115 vulnerabilities found - Packages audited: 1682
Severity: 85 Moderate | 29 High | 1 Critical

package.json file for react-dev-utils package uses the correct version of immer.
However, since the version of react-script package was not changed (still 4.0.3 for last 8 months) the update is not published to package repositories (npm, yarn).

Did you try recovering your dependencies?

Yes, I did

Which terms did you search for in User Guide?

Fix vulnerabilities

Environment

Environment Info:

  current version of create-react-app: 4.0.3
  running from /Users/veselov/.npm/_npx/c67e74de0542c87c/node_modules/create-react-app

  System:
    OS: macOS 10.15.7
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
  Binaries:
    Node: 14.15.4 - /usr/local/bin/node
    Yarn: 1.22.10 - ~/homebrew/bin/yarn
    npm: 7.22.0 - ~/homebrew/bin/npm
  Browsers:
    Chrome: 94.0.4606.71
    Edge: Not Found
    Firefox: 91.1.0
    Safari: 15.0
  npmPackages:
    react: ^17.0.2 => 17.0.2 
    react-dom: ^17.0.2 => 17.0.2 
    react-scripts: ^4.0.3 => 4.0.3 
  npmGlobalPackages:
    create-react-app: Not Found

Steps to reproduce

(Write your steps here:)

  1. Generate my-app
npx create-react-app my-app
cd my-app
  1. Run audit
yarn audit --level critical

Expected behavior

Expect not to have any critical vulnerabilities

Actual behavior

See above

Reproducible demo

Use the current version of create-react-app

Possible security incident
Possible compliance risk
@nrayburn-tech
Copy link

This is a development only problem, see #11174 for more info.

@Bilal-S
Copy link

Bilal-S commented Oct 13, 2021

There are other high vulnerability issues flagged in 4.0.3. => run npm audit
Understood that this may only manifest itself in development but would be nice to see attention as many times development code is posted for testing.

@macho-catt macho-catt mentioned this issue Nov 16, 2021
Closed
6 tasks
@Dipanjan-05071989
Copy link

Any update on this open item? Issue still persists.

@sarahannnicholson sarahannnicholson mentioned this issue Nov 30, 2021
Open
@stale
Copy link

stale bot commented Jan 8, 2022

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

@stale stale bot added the stale label Jan 8, 2022
@vladimirveselov
Copy link

Is it possible to move it to development dependencies or to upgrade to a non-vulnerable version?

@stale stale bot removed the stale label Jan 9, 2022
@azoray
Copy link

azoray commented Jul 20, 2022

I get high severity reports when running with yarn and npm:

$ yarn audit --level critical
yarn audit v1.22.15
info No lockfile found.
warning @testing-library/jest-dom > css > [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
warning react-scripts > @svgr/webpack > @svgr/plugin-svgo > [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.
warning react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
warning react-scripts > css-minimizer-webpack-plugin > cssnano > cssnano-preset-default > postcss-svgo > svgo > [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
1 vulnerabilities found - Packages audited: 1230
Severity: 1 High
Done in 25.01s.


$ npm audit
# npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Environment:

$ npx create-react-app --info

Environment Info:

  current version of create-react-app: 5.0.1
  running from /.npm/_npx/c67e74de0542c87c/node_modules/create-react-app

  System:
    OS: Linux 5.15 Ubuntu 20.04.4 LTS (Focal Fossa)
    CPU: (8) x64 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
  Binaries:
    Node: 16.15.1 - ~/.nvm/versions/node/v16.15.1/bin/node
    Yarn: 1.22.15 - ~/.nvm/versions/node/v16.15.1/bin/yarn
    npm: 8.11.0 - ~/.nvm/versions/node/v16.15.1/bin/npm
  Browsers:
    Chrome: 103.0.5060.114
    Firefox: 102.0
  npmPackages:
    react: ^18.2.0 => 18.2.0 
    react-dom: ^18.2.0 => 18.2.0 
    react-scripts: 5.0.1 => 5.0.1 
  npmGlobalPackages:
    create-react-app: Not Found

@mark-wiemer
Copy link

Is it possible to move it to development dependencies or to upgrade to a non-vulnerable version?

Yes, you should move react-scripts to dev dependencies per #11174

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@Bilal-S @vveselov @mark-wiemer @vladimirveselov @Dipanjan-05071989 @nrayburn-tech @azoray