Open neelrocketbots opened 1 month ago
+1
This is now the subject of an 8.3 score CVE: https://github.com/advisories/GHSA-gcx4-mw62-g8wm
For now, this is my overrides list in packages.json
:
"overrides": {
"svgo": {
"nth-check": ">=2.0.2"
},
"react-scripts": {
"postcss": ">=8.4.31",
"workbox-webpack-plugin": ">=7.1.0"
},
"workbox-build": {
"rollup": ">=3.29.5"
},
"@rollup/plugin-babel": {
"rollup": ">=3.29.5"
},
"@rollup/plugin-replace": {
"rollup": ">=3.29.5"
}
},
I haven't seen any obvious breakages, but please test this before blindly using it in prod.
as mentioned by @qwertychouskie, rollup version >= 4.0.0 and < 4.22.4 are subjected 8.3 score CVE: GHSA-gcx4-mw62-g8wm. So, instead of updating to rollup version 4.21.1, 4.22.4 should be used as version 4.22.4 contains patch for the mentioned vulnerability.
The rollup dependency is quite behind and require an update since it's in devDependencies, not peerDependencies, it affects the package-lock.json causing versioning conflicts