prototype pollution and remote code execution

[fanhustler]

Hi, I am new to react as I am a WordPress Dev.. I have been following Michael Soriano's tutorial on how to build a WordPress theme with React, and when I got to the step to "install react-router-dom"- I got the following npm warn messages:

"npm WARN @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.13.12 requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself. npm WARN tsutils@3.21.0 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.

found 4 vulnerabilities (1 low, 3 high) run npm audit fix to fix them, or npm audit for details"

so, I ran:

"$ npm audit fix npm WARN @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.13.12 requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself. npm WARN tsutils@3.21.0 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.

and got back this message

"fixed 0 of 4 vulnerabilities in 1698 scanned packages 4 vulnerabilities required manual review and could not be updated"

so, then I ran "npm audit"

"$ npm audit

                   === npm audit security report ===

                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of @devloco/react-scripts-wptheme

Path @devloco/react-scripts-wptheme > webpack-dev-server > yargs

yargs-parser

More info https://npmjs.com/advisories/1500

High Remote Code Execution

Package serialize-javascript

Patched in >=3.1.0

Dependency of @devloco/react-scripts-wptheme

Path @devloco/react-scripts-wptheme > terser-webpack-plugin > serialize-javascript

More info https://npmjs.com/advisories/1548

High Prototype Pollution

Package object-path

Patched in >=0.11.5

Dependency of @devloco/react-scripts-wptheme

Path @devloco/react-scripts-wptheme > resolve-url-loader > adjust-sourcemap-loader > object-path

More info https://npmjs.com/advisories/1573

High Prototype Pollution

Package immer

Patched in >=8.0.1

Dependency of @devloco/react-scripts-wptheme

Path @devloco/react-scripts-wptheme > react-dev-utils > immer

More info https://npmjs.com/advisories/1603

found 4 vulnerabilities (1 low, 3 high) in 1698 scanned packages 4 vulnerabilities require manual review. See the full report for details."

Like I said, I am new to React and am trying to learn how to develop my own react themes for wordpress, so I was delighted when I found your create-react-wptheme on Michael's blog!

I guess my questions are;

1.) Is this a major ordeal or can I just continue to develop a wp theme with this package and not worry about those warning messages?

OR

2.) How can I fix these dependency vulnerabilities on my own?

OR

3.) Would you be able to update your repository so that this is no longer an issue?

I am unsure what the correct way to go about fixing this issue, so any insight would be greatly appreciated!

Thank you for this package, as I am sure it would have taken me many more months to have figured out how to do this on my own.

Many thanks,

Jesse Giddens

[believelody]

Hello @fanhustler , I don't know if you already found a solution but as far as I know, you can continue to develop your app. There is no real big deal with those warnings. Just be careful when using react router, you might see some weird behaviour.