Open alk-m90387 opened 1 year ago
Any updates? When we can expect new release?
Just writing to also confirm, that react-scripts v 5.0.1 prevents us from fixing the criticial security issue coming from JSON5 < v2.2.2 (see https://github.com/json5/json5/blob/main/CHANGELOG.md#v222-code-diff)
Who can triage it/update and release a hotfix?
Does anyone have a workaround for this issue?
Hi, I have upgraded the version of nth-check and json5 in my package.lock.json manually. It is not the permanent solution. I would like to request to CRA to release a security patch regarding. react-scripts v5.0.1 depends on the lower version.
Thanks & Regards, Aloke Basak
From: Lei Wang @.> Sent: Tuesday, 10 January 2023 00:28 To: facebook/create-react-app @.> Cc: Aloke Basak @.>; Author @.> Subject: [EXT] Re: [facebook/create-react-app] nth-check <2.0.1 Severity: high && json5 <2.2.2 Severity: high (Issue #12936)
EXTERNALhttps://external.tdc.dk/
Does anyone have a workaround for this issue?
- Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/facebook/create-react-app/issues/12936*issuecomment-1376132015__;Iw!!GNpmbAs!EtHlVh9qW8cEKWJnP6YnpC4LZAQ0ZiI2TFIfceUO_Uz57kB8AXfGuAt_LIMqBHsl-1EFAfuK6qAZPPbVBJKWEl0$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AQ26ATAYOGGSRSO36J2USSDWRRNTLANCNFSM6AAAAAATL5G7CI__;!!GNpmbAs!EtHlVh9qW8cEKWJnP6YnpC4LZAQ0ZiI2TFIfceUO_Uz57kB8AXfGuAt_LIMqBHsl-1EFAfuK6qAZPPbVKZYNJpY$. You are receiving this because you authored the thread.Message ID: @.***>
Is there any updates for this issue?
Checking for any updates to this as well. Still unable to resolve the vulnerability until this is updated.
Yes, #11174 clarifies that this is a non-issue. react-scripts
should be a dev dependency and npm audit
should be run with --omit=dev
(the replacement to --production
). Thanks for the link, @WilliamPriorielloGarda
This "security vulnerability" will not affect end-users as react-scripts
isn't actually used in apps created by CRA by default. Unless you're somehow referencing react-scripts
from your production app, you're fine.
Yes, #11174 clarifies that this is a non-issue.
react-scripts
should be a dev dependency andnpm audit
should be run with--omit=dev
(the replacement to--production
). Thanks for the link, @WilliamPriorielloGardaThis "security vulnerability" will not affect end-users as
react-scripts
isn't actually used in apps created by CRA by default. Unless you're somehow referencingreact-scripts
from your production app, you're fine.
I don't quite agree that audit should be run for production packages only. If I were an attacker I would hide some malicious code into something like webpack plugin.
In this case it doesn't seem to be an issue. But if I create new CRA the react scripts are not devDependencies
some reason I kept running npm audit --omit-dev and still received error outputs (note I was using dash instead of the assignment). Dropping this note for others like me: :) The correct command is:
npm audit --omit=dev npm audit --omit dev works as well and is easier to read in my opinion :)
json5 <2.2.2 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via
npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change node_modules/tsconfig-paths/node_modules/json5 tsconfig-paths 3.5.0 - 3.9.0 || 3.11.0 - 3.14.1 Depends on vulnerable versions of json5 node_modules/tsconfig-paths eslint-plugin-import >=2.24.2 Depends on vulnerable versions of tsconfig-paths node_modules/eslint-plugin-import eslint-config-react-app >=7.0.0-next.75 Depends on vulnerable versions of eslint-plugin-import node_modules/eslint-config-react-app react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of eslint-config-react-app node_modules/react-scriptsnth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via
npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change node_modules/svgo/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of eslint-config-react-app