Open NarahariTagili-Eaton opened 1 year ago
While you are at it here are some more dependencies that are vulnerable and should get updated. CVE-2022-3517 react-scripts-5.0.1.tgz (Root Library) react-dev-utils-12.0.1.tgz recursive-readdir-2.2.2.tgz ❌ minimatch-3.0.4.tgz (Vulnerable Library) CVE-2022-37599 react-scripts-5.0.1.tgz (Root Library) file-loader-6.2.0.tgz ❌ loader-utils-2.0.2.tgz (Vulnerable Library)
Is there a timeframe for when the PR will be pushed to update the dependent vulnerable libraries?
All the vulnerable issues come from the dependencies packages which are outdated, is there any update on the vulnerable fix?
I assume CRA is dead now, as nobody responded to CVE-related topics for more than a week.
any update on this ? help needed to fix the vunerabilities !!
FWIW, The workaround I ended up for file-loader to unblock us was to use react-app-rewired and add the following in our config-overrides.js
try {
const oneOfRule = config.module.rules.find((rule) =>
Array.isArray(rule.oneOf),
);
const svgRule = oneOfRule.oneOf.find(
(r) => r.test.toString() === '/\\.svg$/',
);
svgRule.type = 'asset';
delete svgRule.use;
} catch (err) {
console.error(
'Error while applying config-overrides. CRA has updated the default webpack config.',
err,
);
throw err;
}
See this pinned issued here, I don't think these represent actual vulnerabilities.
Yes, #11174 addresses this exactly and provides resolution steps.
I am also getting the vulnerabilities due to the react-scripts package. Here are the list:
webpack-5.5.0 nth-check-1.0.2 loader-utils-3.2.1 semver-7.5.0 css-what-3.4.2 postcss-8.4.26 mime-1.3.2
Please do consider upgrading these vulnerable packages that are in the dependencies of the react-scripts package.
Still getting vulnerabilities with latest react-scripts nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
postcss <8.4.31 Severity: moderate PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
The only fix available from npm audit command is to downgrade react-scripts to version 3.0.1, which is not acceptable
I think at this point with no release in over 2 years, we can assume this project is probably abandoned. I migrated one project to Vite another to NextJS. Vite migration for a larger project wasn't too hard (a couple hours total).
I'm thankful for this project and its maintainers but I think it's time to move on until they come back and maintain this.
We are using react-scripts 5.0.1 library, under this library having vulnerable transitive libraries
terser/5.13.1
css-whatv3.4.2
nth-check/1.0.2
terser/5.13.1 is before 4.8.1, from 5.0.0, and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions and CVE: CVE-2022-25858(BDSA-2022-2526)
css-whatv3.4.2 is incorrectly implements Linear Time Complexity. An attacker can take advantage of this in order to overload system resources and cause a denial-of-service (DoS) and CVE : BDSA-2021-1962
nth-check/1.0.2 is vulnerable to Inefficient Regular Expression Complexity and CVE: CVE-2021-3803(BDSA-2021-2906)
We would expect to upgrade the react-scripts 5.0.1 to the latest version with
using vulnerable react-scripts 5.0.1 makes our product makes vulnerable please make upgrade the react-scripts 5.0.1 to the latest version with transitive dependencies security patches