Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security Vulnerability in node-forge which is a transitive dependency of react-scripts

See original GitHub issue

node-forge version 0.9.0 is vulnerable to prototype pollution. It’s version is now bumped to 0.10.0. however in react-scripts 3.4.3 version it brings 0.9.0 version of node-forge.

-- react-scripts@3.4.3 – webpack-dev-server@3.11.0 -- selfsigned@1.10.7 – node-forge@0.9.0

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:11
  • Comments:17

github_iconTop GitHub Comments

2reactions
Aashishkmrcommented, Sep 22, 2020

@nli8n react-scripts version bump is not required. it will be automatically updated. Try below steps:

  1. Open node modules folder and delete self signed folder from there.
  2. run npm install.
  3. Verify that the node-forge is updated or not. you can do by finding in package lock json or running npm ls node-forge from the console
0reactions
crystalmariapcommented, Feb 10, 2021

I

On Sat, Jan 9, 2021 at 8:15 PM Crystal Peterson lovegoldheart@outlook.com wrote:

Read more comments on GitHub >

github_iconTop Results From Across the Web

Vulnerability detected in node-forge - Stack Overflow
I've run npm audit fix. node-forge is only in my package-lock.json file and is required by "selfsigned" dependency. node ...
Read more >
Fixing security vulnerabilities in npm dependencies in less ...
Fixing security vulnerabilities in npm dependencies in less than 3 mins ... libraries might have already fixed the version of there transitive dependencies....
Read more >
react-scripts | npm - Open Source Insights
In the dependencies. Improper Neutralization of Special Elements used in a Command in Shell-quote. 9.8 CRITICAL·GHSA-g4rg-993r-mgx7.
Read more >
kodyfire-builder - npm Package Health Analysis | Snyk
All security vulnerabilities belong to production dependencies of direct and indirect packages. License: MIT. Security Policy: Yes ...
Read more >
Fix Example Transitive Vulnerability for NPM Without Force ...
If you encounter problems using the NPM force-resolutions package, you can use this alternative method to fix transitive vulnerabilities in ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

index.html missing from build

Next page

'Npm start' fails on react-scripts-start