search

DashSoftwareSolutions / DashAccountingSystemV2

ASP.NET Core + React/Redux SPA powered Simple Ledger and Time Tracking System for small businesses
GNU General Public License v3.0
12 stars 4 forks source link

[UI] - Update outdated and vulnerable NPM packages #101

Closed groberts314 closed 2 months ago

groberts314 commented 2 years ago

See npm audit.

In particular npm install react-scripts@5.0.1 will resolve A LOT of the existing vulnerabilities, but it broke things.

groberts314 commented 2 years ago

Was able to get react-scripts@5.0.1 update done and app still works. See 22925ea.

groberts314 commented 2 years ago

Most packages updated. Might see if we can update to React 18.

groberts314 commented 4 months ago

As of June 30, 2024 and the merge of #130 npm audit reports the following (on Node v14.17.5 / NPM v6.14.15):


                       === npm audit security report ===

# Run  npm update postcss --depth 3  to resolve 2 vulnerabilities

  Moderate        PostCSS line return parsing error

  Package         postcss

  Dependency of   react-scripts

  Path            react-scripts > postcss

  More info       https://github.com/advisories/GHSA-7fh5-64p2-3v2j

  Moderate        PostCSS line return parsing error

  Package         postcss

  Dependency of   react-scripts

  Path            react-scripts > css-loader > postcss

  More info       https://github.com/advisories/GHSA-7fh5-64p2-3v2j

# Run  npm update ws --depth 3  to resolve 1 vulnerability

  High            ws affected by a DoS when handling a request with many HTTP
                  headers

  Package         ws

  Dependency of   react-scripts

  Path            react-scripts > webpack-dev-server > ws

  More info       https://github.com/advisories/GHSA-3h5v-q93c-6h6q

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Moderate        PostCSS line return parsing error

  Package         postcss

  Patched in      >=8.4.31

  Dependency of   react-scripts

  Path            react-scripts > resolve-url-loader > postcss

  More info       https://github.com/advisories/GHSA-7fh5-64p2-3v2j

  High            Inefficient Regular Expression Complexity in nth-check

  Package         nth-check

  Patched in      >=2.0.1

  Dependency of   react-scripts

  Path            react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo >
                  css-select > nth-check

  More info       https://github.com/advisories/GHSA-rp65-9cf3-cjxr

  High            ws affected by a DoS when handling a request with many HTTP
                  headers

  Package         ws

  Patched in      >=7.5.10

  Dependency of   react-scripts

  Path            react-scripts > jest > @jest/core > jest-config >
                  jest-environment-jsdom > jsdom > ws

  More info       https://github.com/advisories/GHSA-3h5v-q93c-6h6q

  High            ws affected by a DoS when handling a request with many HTTP
                  headers

  Package         ws

  Patched in      >=7.5.10

  Dependency of   react-scripts

  Path            react-scripts > jest > jest-cli > @jest/core > jest-config >
                  jest-environment-jsdom > jsdom > ws

  More info       https://github.com/advisories/GHSA-3h5v-q93c-6h6q

  High            ws affected by a DoS when handling a request with many HTTP
                  headers

  Package         ws

  Patched in      >=7.5.10

  Dependency of   react-scripts

  Path            react-scripts > jest > jest-cli > @jest/core > jest-config >
                  jest-runner > jest-environment-jsdom > jsdom > ws

  More info       https://github.com/advisories/GHSA-3h5v-q93c-6h6q

found 8 vulnerabilities (3 moderate, 5 high) in 1925 scanned packages
  run `npm audit fix` to fix 3 of them.
  5 vulnerabilities require manual review. See the full report for details.
groberts314 commented 4 months ago

This is probably the best that can be done without fully modernizing the UI stack (and likely getting onto a higher version of Node/NPM). I'll have to make sure that I can run the application from a release build (with the static files bundled), since likely I'll have to keep Node v14.17.5 / NPM v6.14.15 for Healthy Church development for the foreseeable future 😢.

groberts314 commented 4 months ago

So far in the new branch, seeing this, which looks pretty darn good!

C:\Projects\DashAccountingSystemV2_ASPNET8_Take2\src\FrontEnd>npm audit

                       === npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Moderate        PostCSS line return parsing error

  Package         postcss

  Patched in      >=8.4.31

  Dependency of   react-scripts [dev]

  Path            react-scripts > resolve-url-loader > postcss

  More info       https://github.com/advisories/GHSA-7fh5-64p2-3v2j

  High            Inefficient Regular Expression Complexity in nth-check

  Package         nth-check

  Patched in      >=2.0.1

  Dependency of   react-scripts [dev]

  Path            react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo >
                  css-select > nth-check

  More info       https://github.com/advisories/GHSA-rp65-9cf3-cjxr

found 2 vulnerabilities (1 moderate, 1 high) in 1587 scanned packages
  2 vulnerabilities require manual review. See the full report for details.