nth-check <2.0.1 Severity: high && json5 <2.2.2 Severity: high

[alk-m90387]

json5 <2.2.2 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via npm audit fix --force Will install react-scripts@4.0.3, which is a breaking change node_modules/tsconfig-paths/node_modules/json5 tsconfig-paths 3.5.0 - 3.9.0 || 3.11.0 - 3.14.1 Depends on vulnerable versions of json5 node_modules/tsconfig-paths eslint-plugin-import >=2.24.2 Depends on vulnerable versions of tsconfig-paths node_modules/eslint-plugin-import eslint-config-react-app >=7.0.0-next.75 Depends on vulnerable versions of eslint-plugin-import node_modules/eslint-config-react-app react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of eslint-config-react-app node_modules/react-scripts

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install react-scripts@4.0.3, which is a breaking change node_modules/svgo/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of eslint-config-react-app

[hoffmannjan]

Any updates? When we can expect new release?

[Lelith]

Just writing to also confirm, that react-scripts v 5.0.1 prevents us from fixing the criticial security issue coming from JSON5 < v2.2.2 (see https://github.com/json5/json5/blob/main/CHANGELOG.md#v222-code-diff)

[sergei-lobanov]

Who can triage it/update and release a hotfix?

[Nbestwl]

Does anyone have a workaround for this issue?

[alk-m90387]

Hi, I have upgraded the version of nth-check and json5 in my package.lock.json manually. It is not the permanent solution. I would like to request to CRA to release a security patch regarding. react-scripts v5.0.1 depends on the lower version.

Thanks & Regards, Aloke Basak

From: Lei Wang @.> Sent: Tuesday, 10 January 2023 00:28 To: facebook/create-react-app @.> Cc: Aloke Basak @.>; Author @.> Subject: [EXT] Re: [facebook/create-react-app] nth-check <2.0.1 Severity: high && json5 <2.2.2 Severity: high (Issue #12936)

EXTERNALhttps://external.tdc.dk/

Does anyone have a workaround for this issue?

- Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/facebook/create-react-app/issues/12936*issuecomment-1376132015__;Iw!!GNpmbAs!EtHlVh9qW8cEKWJnP6YnpC4LZAQ0ZiI2TFIfceUO_Uz57kB8AXfGuAt_LIMqBHsl-1EFAfuK6qAZPPbVBJKWEl0$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AQ26ATAYOGGSRSO36J2USSDWRRNTLANCNFSM6AAAAAATL5G7CI__;!!GNpmbAs!EtHlVh9qW8cEKWJnP6YnpC4LZAQ0ZiI2TFIfceUO_Uz57kB8AXfGuAt_LIMqBHsl-1EFAfuK6qAZPPbVKZYNJpY$. You are receiving this because you authored the thread.Message ID: @.***>

[yefei0423]

Is there any updates for this issue?

[CodyWalraven]

Checking for any updates to this as well. Still unable to resolve the vulnerability until this is updated.

[WilliamPriorielloGarda]

see https://github.com/facebook/create-react-app/issues/11174

[mark-wiemer]

Yes, #11174 clarifies that this is a non-issue. react-scripts should be a dev dependency and npm audit should be run with --omit=dev (the replacement to --production). Thanks for the link, @WilliamPriorielloGarda

This "security vulnerability" will not affect end-users as react-scripts isn't actually used in apps created by CRA by default. Unless you're somehow referencing react-scripts from your production app, you're fine.

[martinhrvn]

Yes, #11174 clarifies that this is a non-issue. react-scripts should be a dev dependency and npm audit should be run with --omit=dev (the replacement to --production). Thanks for the link, @WilliamPriorielloGarda

This "security vulnerability" will not affect end-users as react-scripts isn't actually used in apps created by CRA by default. Unless you're somehow referencing react-scripts from your production app, you're fine.

I don't quite agree that audit should be run for production packages only. If I were an attacker I would hide some malicious code into something like webpack plugin.

In this case it doesn't seem to be an issue. But if I create new CRA the react scripts are not devDependencies

[vaughngit]

some reason I kept running npm audit --omit-dev and still received error outputs (note I was using dash instead of the assignment). Dropping this note for others like me: :) The correct command is:

npm audit --omit=dev npm audit --omit dev works as well and is easier to read in my opinion :)