Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Dependency on insecure version of braces (Node security advisory 786)

See original GitHub issue

Is this a bug report?

Yes.

Did you try recovering your dependencies?

I don’t think this step is necessary, due to the error being present in a brand new project.

Which terms did you search for in User Guide?

None.

Environment

Environment Info:

  System:
    OS: macOS 10.14.3
    CPU: x64 Intel(R) Core(TM) i5-4278U CPU @ 2.60GHz
  Binaries:
    Node: 10.15.0 - /usr/local/opt/node@10/bin/node
    Yarn: 1.13.0 - /usr/local/bin/yarn
    npm: 6.4.1 - /usr/local/opt/node@10/bin/npm
  Browsers:
    Chrome: 72.0.3626.109
    Firefox: 65.0
    Safari: 12.0.3
  npmPackages:
    react: ^16.8.2 => 16.8.2 
    react-dom: ^16.8.2 => 16.8.2 
    react-scripts: 2.1.5 => 2.1.5 
  npmGlobalPackages:
    create-react-app: Not Found

Steps to Reproduce

yarn create react-app my-app
cd my-app/
yarn audit

In addition, I’ve tried to add braces as a top-level dependency using yarn add braces. That didn’t help.

Expected Behavior

Pass.

Actual Behavior

Fail:

➜  my-app git:(master) yarn audit
yarn audit v1.13.0
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > babel-jest > babel-plugin-istanbul >         │
│               │ test-exclude > micromatch > braces                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/786                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
…
63 vulnerabilities found - Packages audited: 36332
Severity: 63 Low
✨  Done in 3.12s.

Reproducible Demo

I don’t think this is necessary, due to the required steps being very few.

Issue Analytics

State:
Created 5 years ago
Reactions:55
Comments:34 (7 by maintainers)

Top GitHub Comments

35reactions

iansucommented, Feb 19, 2019

Let’s focus on the issue here. This is not the place to debate the merits of npm audit or how your CI should be set up.

Since Jest isn’t planning to backport this fix to Jest 23 the only thing we can do is release a major version of Create React App with Jest 24. We are currently working on that and you can follow the progress on upgrading to Jest 24 here: https://github.com/facebook/create-react-app/pull/6278

9reactions

ztolleycommented, Feb 18, 2019

Handlebars just joined the party with a High priority vulnerability too

Top Results From Across the Web

How to fix npm package braces issue with react-scripts v2.1.5 ...

I've tried downgrading to previous versions of react-scripts, updating braces either through updating the package.json, deleting the package ...

Dependency Audit Retrospective: June 2019 - Medium

This week, a tweet from the Chief Security Officer of Brave browser raised some public concerns of the security of our codebase.

Deprecated packages and vulnerabilities in Hybrid app

Hi all, I am trying to build a hybrid app and I am following the steps in https://docs.mendix.com/developerportal/deploy/mobileapp I have ...

nuxt | npm | Open Source Insights

In the dependencies ... ejs template injection vulnerability. 9.8 CRITICAL·GHSA-phwq-j96m- ... Insecure serialization leading to RCE in serialize-javascript.

NPM Identify And Fix Insecure Dependencies

NPM's latest version npm@6 has been launched and It has come with new powerful tool npm audit. This tool will help us to...