CVE-2021-27290 in `react-scripts` due to using old version of `webpack`
See original GitHub issueDescribe the bug
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Looking at https://github.com/facebook/create-react-app/blob/master/packages/react-scripts/package.json it pulls in webpack
@ 4.44.2
which ends up with this tree:
┬ react-scripts@4.0.3
├─┬ terser-webpack-plugin@4.2.3
│ └─┬ cacache@15.0.5
│ └── ssri@8.0.1
└─┬ webpack@4.44.2
└─┬ terser-webpack-plugin@1.4.5
└─┬ cacache@12.0.4
└── ssri@6.0.1
Moving to the latest webpack
currently 5.26.2
will fix this.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:11
- Comments:8
Top Results From Across the Web
react-scripts required old version of webpack - Stack Overflow
I see that in node_modules version is 4.43 and after I use npm install webpack in the file package-loc.json it shows 4.43, but...
Read more >Using Webpack with Create React App - Fullstack.io
In most of our earlier projects, we loaded React with script tags in our apps' index.html files: ... create-react-app heart-webpack --scripts-version=1.0.14.
Read more >The React Scripts Start Command – Create-React-App NPM ...
This allows you to focus on coding your application without having to bother with build configurations. The dependencies that create-react-app ...
Read more >react-app-rewired - npm
Tweak the create-react-app webpack config(s) without using 'eject' and without creating a fork of the react-scripts. Latest version: 2.2.1, ...
Read more >Create React App without Create React App - Bits and Pieces
Babel — used to convert ECMAScript 2015+ (ES6+) code into a backwards compatible version of JavaScript that can be run by older JavaScript...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
How difficult is to move react-scripts to webpack 5?
Move to webpack 5 will be a major version update like CRA 5, which will cause breaking changes.
I think CRA definitely need to move, but may need more time.
So I think we should still upgrade these dependencies in CRA 4 if anyone have time to create a PR.