Closed sethusrinivasan closed 2 years ago
Hi @sethusrinivasan , thanks for this issue. Are you sure you're using the latest version? Currently most of the vulnerabilities that you mentioned have been fixed (and these were connected to react-scripts
). Indeed if you look at the message it says that would install react-scripts@5.0.0
:
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change
but that's already what this utility uses: https://github.com/aws-samples/amazon-timestream-simple-visualizer/blob/main/package.json#L33
In the current version there are only the following:
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > │
│ │ css-select > nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-rp65-9cf3-cjxr │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service in postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=8.2.13 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > resolve-url-loader > postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-566m-qj78-rww5 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 moderate severity vulnerabilities in 1851 scanned packages
2 vulnerabilities require manual review. See the full report for details.
these are also transitive dependencies that are not used directly by this project. We'll monitor the situation as these get fixed by the community we will upgrade as well.
Additionally, these are connected to dev dependencies that are not used in the production build and there are no vulnerabilities in the production dependencies.
$ npm audit --production
=== npm audit security report ===
found 0 vulnerabilities
in 154 scanned packages
I'd suggest you to try to delete your node_modules folder and reinstall the dependencies with a npm install
.
I'm closing this issue as not relevant for this version, feel free to open it again in case you've the same problem