[Bug] High Severity Vulnerabilities in Older react-scripts and node-sass and Nested Dependencies

creativetimofficial / argon-design-system

Argon - Design System for Bootstrap 4 by Creative Tim

https://www.creative-tim.com/product/argon-design-system

Other

2.47k stars 491 forks source link

[Bug] High Severity Vulnerabilities in Older react-scripts and node-sass and Nested Dependencies #153

Closed mekkim closed 2 years ago

mekkim commented 2 years ago

Version

Latest

Reproduction link

https://github.com/mekkim/donatemask

Operating System

All

Device

All

Browser & Version

All

Steps to reproduce

Run npm audit against latest branch.

What is expected?

No vulnerabilities in dependencies

What is actually happening?

38 vulnerabilities (20 moderate, 18 high) in dependencies.
npm audit fix advises that upgrades required to address vulnerabilities are breaking.

Solution

Dependencies and any resulting breaking feature changes should be resolved react-scripts to version 5.0.0+ node-sass to version 7.0.1+

Additional comments

npm audit log: https://pastes.io/tr6m6umkip

mekkim commented 2 years ago

Changing the dependencies in the package.json to the following:

"node-sass": "latest",
"react-scripts": "latest",

appears to address the issue. npm audit shows cyclic problems with /lower/ versions and npm audit fix --force will try to downgrade and then if run again, upgrade back and forth. Since latest versions are above the critical severity vulnerability versions, one can safely assume the remaining npm audit issues can be ignored.

Seems to install and run fine with latest versions of node-sass and react-scripts but I haven't thoroughly tested, so YMMV.

mekkim commented 2 years ago

Actually, the other npm audit fix issues are nested dependency vulnerabilities that require npm shrinkwrap to address per: https://www.juliendesrosiers.com/2020/05/29/update-vulnerable-nodejs-nested-package.php

mekkim commented 2 years ago

Final update: Whole issue can be addressed by changing the packages.json as follows:

"node-sass": "latest",
"react-scripts": "latest",

plus adding at the end:

"overrides": {
       "glob-parent": "latest",
       "nth-check": "latest"
   }

rarestoma commented 2 years ago

Hi @mekkim,

Thank you for working with our products.

It seems like you using the React version of the Argon Design System. Can you please reopen this issue on its official repo: https://github.com/creativetimofficial/argon-design-system-react?

Thank you, Rares

mekkim commented 2 years ago

Moved to https://github.com/creativetimofficial/argon-design-system-react/issues/33