Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Missing Origin Validation in react-scripts@2.1.2

See original GitHub issue

Is this a bug report?

Yes, NPM reports 1 high severity vulnerability when running npx create-react-app my-app. Not sure why I can’t find a bug report already about this issue. Sorry if it has already been reported.

According to npm audit, the webpack-dev-server dependency has to be upgraded to >=3.1.11.

Environment

npx create-react-app --info
npx: installed 63 in 2.22s

Environment Info:

  System:
    OS: macOS High Sierra 10.13.6
    CPU: x64 Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz
  Binaries:
    Node: 10.11.0 - /usr/local/bin/node
    npm: 6.5.0 - ~/Sites/theregulars/theregulars-reviews/node_modules/.bin/npm
  Browsers:
    Chrome: 71.0.3578.98
    Firefox: 64.0
    Safari: 12.0.2
  npmPackages:
    react: ^16.6.3 => 16.6.3
    react-dom: ^16.6.3 => 16.6.3
    react-scripts: ^2.1.2 => 2.1.2
  npmGlobalPackages:
    create-react-app: Not Found

Steps to Reproduce

npx create-react-app my-app
cd my-app⸨⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⸩ ⠧ rollbackFailedOptional: verb npm-session 2bed87enpx: installed 63 in 4.162s

Creating a new React app in /Users/sunknudsen/tmp/my-app.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...


> fsevents@1.2.4 install /Users/sunknudsen/tmp/my-app/node_modules/fsevents
> node install

[fsevents] Success: "/Users/sunknudsen/tmp/my-app/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node" already installed
Pass --update-binary to reinstall or --build-from-source to recompile
+ react-scripts@2.1.2
+ react@16.7.0
+ react-dom@16.7.0
added 1794 packages from 684 contributors and audited 35709 packages in 47.487s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Initialized a git repository.

Success! Created my-app at /Users/sunknudsen/tmp/my-app
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd my-app
  npm start

Happy hacking!

npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 35709 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Issue Analytics

State:
Created 5 years ago
Reactions:34
Comments:29 (8 by maintainers)

Top GitHub Comments

66reactions

ianschmitzcommented, Jan 3, 2019

Just gave a nudge to @gaearon. Hoping to get a patch out soon. Sorry for the delay!

25reactions

ianschmitzcommented, Jan 4, 2019

v2.1.3 is available. Please let me know if you have any more issues!

Top Results From Across the Web

Missing Origin Validation in Package webpack-dev-server ...

I have 'Client' folder where i keep all my react code. After uploading code in server, I run 'npm install'. All the dependencies...

Missing Origin Validation during npm install #1566 - GitHub

Anyone manage to run npm install laravel-mix without hitting any error even after a month ? All reactions.

Missing Origin Validation in webpack-dev-server - Laracasts

I have this when I run npm install. Anyone have ideas how to fix? This started happening only yesterday I believe. Following the...

CWE-1385: Missing Origin Validation in WebSockets (4.9)

The software uses a WebSocket, but it does not properly verify that the source of data or communication is valid. WebSockets provide a...

How to fix Missing Origin Validation error for “webpack-dev ...

npm audit security report === Manual Review Some vulnerabilities require your attention to resolve Visit https://go.npm.me/audit-guide for additional ...