search

facebook / create-react-app

Set up a modern web app by running one command.
https://create-react-app.dev
MIT License
102.55k stars 26.8k forks source link

Question About 6 high severity vulnerabilities #13227

Open parmpreetnanrhe opened 1 year ago

parmpreetnanrhe commented 1 year ago

I am getting this as message in my terminal that the package contains 6 high severity vulnerabilities. Is it safe to go with this package these days.

I am new with this type of project. I am unable to understand all things mentioned about this topic on internet. Can anyone help to understand, Is it really be a problem which can lead to data loss or backend tracking.

Screenshot 2023-06-11 004953
dave9123 commented 1 year ago

Try running npm i @svgr/webpack --save-dev

jrjake commented 1 year ago

See issue #11174, it is OK to ignore this warning.

denezra commented 1 year ago

@wfjake Hmm is there a way to fix this just to ignore it? Because this will cause to detect on my CSEC scan.

dave9123 commented 1 year ago

Try running npm i @svgr/webpack --save-dev

Might help you :)

denezra commented 1 year ago

@dave9123 Still the same good sir

image

dave9123 commented 1 year ago

Can I see which package? npm audit report

denezra commented 1 year ago

Hi @dave9123, here's the npm audit report

image

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install react-scripts@2.1.3, which is a breaking change node_modules/react-scripts/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/react-scripts/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/react-scripts/node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/react-scripts/node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/react-scripts/node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack node_modules/react-scripts

If the Devs truly abandoned this project(Based on this discussion here) I might try to migrate to other framework like Vite, Next, or Svelte.

dave9123 commented 1 year ago

I forgot that you need to modify your nth-check version,

"overrides": { "nth-check": "2.0.1" },

Should be something like this image image

dave9123 commented 1 year ago

Here's me being confused, again image