Skip to content

update vulnerable dependencies #12055

New issue
New issue
Open
Open
update vulnerable dependencies#12055
Labels
issue: bug reportneeds triage
@juliocarneiro

Description

@juliocarneiro
juliocarneiro
opened on Feb 13, 2022 · edited by juliocarneiro

Describe the bug

Snyk acuse vulnerable dependencies in react-scripts

Did you try recovering your dependencies?

yes

Which terms did you search for in User Guide?

(Write your answer here if relevant.)

Environment

System:
OS: Windows 10 10.0.19044
CPU: (4) x64 Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
Binaries:
Node: 16.13.2 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.17 - C:\Program Files\nodejs\yarn.CMD
npm: 8.5.0 - C:\Program Files\nodejs\npm.CMD
Browsers:
Chrome: Not Found
Edge: Spartan (44.19041.1266.0), Chromium (98.0.1108.50)
Internet Explorer: 11.0.19041.1202
npmPackages:
react: ^17.0.2 => 17.0.2
react-dom: ^17.0.2 => 17.0.2
react-scripts: 5.0.0 => 5.0.0
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

(Write your steps here:)

  1. Open cra project in vscode
  2. Install Snyk plugin
  3. Access snyk tab and play plugin

Expected behavior

There should be no vulnerabilities

Actual behavior

Regular Expression Denial of Service (ReDoS)
Vulnerability | CVE-2021-3803 | CWE-1333 | CVSS 7.5 | SNYK-JS-NTHCHECK-1586032
Vulnerable module
nth-check
Introduced through
react-scripts@5.0.0
Fixed in
nth-check@2.0.1
Exploit maturity
Not Defined
Detailed paths
Introduced through: react-chrome-extension@2.0.0 > react-scripts@5.0.0 > @svgr/webpack@5.5.0 > @svgr/plugin-svgo@5.5.0 > svgo@1.3.2 > css-select@2.1.0 > nth-check@1.0.2
Remediation: Upgrade nth-check to version 2.0.1 or higher. (@svgr/webpack@5.5.0 to @svgr/webpack@6.2.1)

Regular Expression Denial of Service (ReDoS)
Vulnerability | CVE-2021-33587 | CWE-400 | CVSS 5.3 | SNYK-JS-CSSWHAT-1298035
Vulnerable module
css-what
Introduced through
react-scripts@5.0.0
Fixed in
css-what@5.0.1
Exploit maturity
Not Defined
Detailed paths
Introduced through: react-chrome-extension@2.0.0 > react-scripts@5.0.0 > @svgr/webpack@5.5.0 > @svgr/plugin-svgo@5.5.0 > svgo@1.3.2 > css-select@2.1.0 > css-what@3.4.2
Remediation: Upgrade css-what to version 5.0.1 or higher. (@svgr/webpack@5.5.0 to @svgr/webpack@6.2.1)

Reproducible demo

https://github.com/juliocarneiro/react-chrome-extension

  1. Open project in vscode
  2. Install Snyk plugin
  3. Access snyk tab and play plugin

Activity

juliocarneiro
added
issue: bug report
needs triage
on Feb 13, 2022
juliocarneiro
changed the title [-]Vulnerability dependencies[/-] [+]update vulnerability dependencies[/+] on Feb 13, 2022
juliocarneiro
changed the title [-]update vulnerability dependencies[/-] [+]update vulnerable dependencies[/+] on Feb 13, 2022
shubham1172
mentioned this on Feb 25, 2022
ghost

ghost commented on Feb 28, 2022

@ghost
ghost
on Feb 28, 2022

This can be fixed by updating the @svgr/webpack dependency in react-scripts to latest version (6.2.1) - https://github.com/facebook/create-react-app/blob/main/packages/react-scripts/package.json#L33

eljevakovic
mentioned this on Apr 28, 2022
thomassth
mentioned this on Jun 6, 2022
NapalmCodes

NapalmCodes commented on Jun 17, 2022

@NapalmCodes
NapalmCodes
on Jun 17, 2022 · edited by NapalmCodes

Any ETA on this? Snyk promoted to a high severity vulnerability. Utilizing overrrides for now.

struginskij

struginskij commented on Jul 5, 2022

@struginskij
struginskij
on Jul 5, 2022

Any update?

satori-code

satori-code commented on Jul 11, 2022

@satori-code
satori-code
on Jul 11, 2022

Any update?

OmegaDL2

OmegaDL2 commented on Jul 21, 2022

@OmegaDL2
OmegaDL2
on Jul 21, 2022

Do you have any timetable where this might get fixed?

samanehsan

samanehsan commented on Aug 2, 2022

@samanehsan
samanehsan
on Aug 2, 2022

This is triggering a high-severity alert in dependabot as well: https://github.com/DataBiosphere/jade-data-repo-ui/security/dependabot/12

rishabhdugar

rishabhdugar commented on Aug 10, 2022

@rishabhdugar
rishabhdugar
on Aug 10, 2022

This is showing as high vulnerability for us and dependency on react-scripts 5.0.0CVE-2021-3803 , any pointers/eta on this will be helpful

juliocarneiro

juliocarneiro commented on Aug 18, 2022

@juliocarneiro
juliocarneiro
on Aug 18, 2022
Author

Any update?

MrAndrew

MrAndrew commented on Aug 20, 2022

@MrAndrew
MrAndrew
on Aug 20, 2022

If the repo owners won't fix, is there any known workaround?

exil0867

exil0867 commented on Sep 1, 2022

@exil0867
exil0867
on Sep 1, 2022

We will be switching to ViteJS because of this.

readysetagile
mentioned this on Sep 11, 2022
isqua
mentioned this on Sep 12, 2022
shirelfanbaum

shirelfanbaum commented on Nov 9, 2022

@shirelfanbaum
shirelfanbaum
on Nov 9, 2022

Hi, I'm still experiencing this issue, and nothing solves it, is there a solution for it?

mwolski89

mwolski89 commented on Dec 1, 2022

@mwolski89
mwolski89
on Dec 1, 2022

+1

GrimzEcho

GrimzEcho commented on Dec 13, 2022

@GrimzEcho
GrimzEcho
on Dec 13, 2022 · edited by GrimzEcho

Until this is patched, you can override the @svgr/webpack version by adding the following to your package.json.

  "overrides": {
    "react-scripts": {
      "@svgr/webpack": "6.5.1"
    }
  }

You will need to be using a fairly recent version of NPM for this to work (I forget the exact version overrides were introduced). Updating the version of @svgr/webpack is what the PR does, but if you want a more precise override, you can also go deeper and just pin nth-check. See https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides for more info.

nwoodr94

nwoodr94 commented on Mar 8, 2023

@nwoodr94
nwoodr94
on Mar 8, 2023

I use this web utility to update my package.json before we go into production, and am still finding that the vuln exists in the latest version, now ^5.0.1

This matters because we can't deploy vulnerabilities.

npm list

+-- react-scripts@5.0.1

npm audit

npm audit report

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@2.1.3, which is a breaking change

Maybe this will get fixed after the tech recession, lol

This worked for me

Until this is patched, you can override the @svgr/webpack version by adding the following to your package.json.

  "overrides": {
    "react-scripts": {
      "@svgr/webpack": "6.5.1"
    }
  }

You will need to be using a fairly recent version of NPM for this to work (I forget the exact version overrides were introduced). Updating the version of @svgr/webpack is what the PR does, but if you want a more precise override, you can also go deeper and just pin nth-check. See https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides for more info.

KeonaK-Snyk
mentioned this on May 17, 2024
hsl0
mentioned this on Apr 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    issue: bug reportneeds triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @juliocarneiro@mwolski89@samanehsan@exil0867@rishabhdugar

        Issue actions
          update vulnerable dependencies · Issue #12055 · facebook/create-react-app