Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

update vulnerable dependencies

See original GitHub issue

Describe the bug

Snyk acuse vulnerable dependencies in react-scripts

Did you try recovering your dependencies?

yes

Which terms did you search for in User Guide?

(Write your answer here if relevant.)

Environment

System: OS: Windows 10 10.0.19044 CPU: (4) x64 Intel® Core™ i5-6400 CPU @ 2.70GHz Binaries: Node: 16.13.2 - C:\Program Files\nodejs\node.EXE Yarn: 1.22.17 - C:\Program Files\nodejs\yarn.CMD npm: 8.5.0 - C:\Program Files\nodejs\npm.CMD Browsers: Chrome: Not Found Edge: Spartan (44.19041.1266.0), Chromium (98.0.1108.50) Internet Explorer: 11.0.19041.1202 npmPackages: react: ^17.0.2 => 17.0.2 react-dom: ^17.0.2 => 17.0.2 react-scripts: 5.0.0 => 5.0.0 npmGlobalPackages: create-react-app: Not Found

Steps to reproduce

(Write your steps here:)

Open cra project in vscode
Install Snyk plugin
Access snyk tab and play plugin

Expected behavior

There should be no vulnerabilities

Actual behavior

Regular Expression Denial of Service (ReDoS) Vulnerability | CVE-2021-3803 | CWE-1333 | CVSS 7.5 | SNYK-JS-NTHCHECK-1586032 Vulnerable module nth-check Introduced through react-scripts@5.0.0 Fixed in nth-check@2.0.1 Exploit maturity Not Defined Detailed paths Introduced through: react-chrome-extension@2.0.0 > react-scripts@5.0.0 > @svgr/webpack @5.5.0 > @svgr/plugin-svgo @5.5.0 > svgo@1.3.2 > css-select@2.1.0 > nth-check@1.0.2 Remediation: Upgrade nth-check to version 2.0.1 or higher. (@svgr/webpack @5.5.0 to @svgr/webpack @6.2.1)

Regular Expression Denial of Service (ReDoS) Vulnerability | CVE-2021-33587 | CWE-400 | CVSS 5.3 | SNYK-JS-CSSWHAT-1298035 Vulnerable module css-what Introduced through react-scripts@5.0.0 Fixed in css-what@5.0.1 Exploit maturity Not Defined Detailed paths Introduced through: react-chrome-extension@2.0.0 > react-scripts@5.0.0 > @svgr/webpack @5.5.0 > @svgr/plugin-svgo @5.5.0 > svgo@1.3.2 > css-select@2.1.0 > css-what@3.4.2 Remediation: Upgrade css-what to version 5.0.1 or higher. (@svgr/webpack @5.5.0 to @svgr/webpack @6.2.1)

Reproducible demo

https://github.com/juliocarneiro/react-chrome-extension

Open project in vscode
Install Snyk plugin
Access snyk tab and play plugin

Issue Analytics

State:
Created 2 years ago
Reactions:32
Comments:13

Top GitHub Comments

13reactions

napalm684commented, Jun 18, 2022

Any ETA on this? Snyk promoted to a high severity vulnerability. Utilizing overrrides for now.

11reactions

micmcgcommented, Feb 28, 2022

This can be fixed by updating the @svgr/webpack dependency in react-scripts to latest version (6.2.1) - https://github.com/facebook/create-react-app/blob/main/packages/react-scripts/package.json#L33

Top Results From Across the Web

Viewing and updating Dependabot alerts - GitHub Docs

About updates for vulnerable dependencies in your repository. GitHub generates Dependabot alerts when we detect that your codebase is using dependencies with ...

Fixing security vulnerabilities in npm dependencies ... - ITNEXT

3.1) First npm install the non-vulnerable version, which in my case was 1.2.5 ... That solves the dependency issues which can not be...

Auditing package dependencies for security vulnerabilities

Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see ...

What are Vulnerable Dependencies?

When a security vulnerability is found in a third-party dependency, and a new version with a fix is released, it is the responsibility...

How to Fix Vulnerable NPM Dependencies - Level Up Coding

Every single team faces the challenge of keeping all their dependencies up to date and without vulnerabilities. As the number of dependencies in...