Open wesco-vishalprasad opened 1 year ago
Any update on this?
I too required to fix this vulnerability
Help me please
Any updates on this?
Is anybody working on this?
Are you sure this comes from react-scripts
? Check under Dependancy Graph section on the Veracode SCA scan.
For me it came from eslint
package and react scripts
had no issue. If for anyone else it is the eslint
package then here's how I sorted it out:
npm ls inflight
Also, this explanation may be useful: https://github.com/facebook/create-react-app/issues/11174#issue-935928547
Using v10 glob (10.4.2) will solve this as inflight is not used anymore, you can force this by adding "glob": "10.4.2"
in your overrides in package.json.
Example:
"dependencies": {
# ...
},
"overrides": {
"glob": "10.4.2"
}
This change didn't cause issues in my application, and I don't think it will in yours, but you should test just in case. Side-note: react-scripts is deprecated and should be avoided anyway for production.
When i create a create react app i found a medium security vulnerability in inflight library https://www.npmjs.com/package/inflight?activeTab=versions, the details are below Veracode Software Composition Analysis(SCA) scan screenshot SRCCLR-SID-41137 Memory Leak: inflight is vulnerable to a Memory Leak. The vulnerability is due to lack of restriction s on how many callbacks the library can concurrently support, which can result in a NodeJS out of heap memory crash. We scanned using a licensed version of veracode tool Inflight is no more maintained and react-script latest version 5.0.1 has this vulnerability Please let us know if this can be fixed or any work around