search

facebook / create-react-app

Set up a modern web app by running one command.
https://create-react-app.dev
MIT License
102.44k stars 26.76k forks source link

Vulnerability Issues with nth-check in react-scripts Dependencies #13364

Open niryaf opened 11 months ago

niryaf commented 11 months ago

Environment:

Description: I am encountering a persistent vulnerability issue with react-scripts related to the nth-check package. Despite making multiple attempts to update the dependencies manually and exploring various resolutions, the vulnerability warning remains.

NPM Audit Output: nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install react-scripts@2.1.3, which is a breaking change node_modules/react-scripts/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/react-scripts/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/react-scripts/node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/react-scripts/node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/react-scripts/node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack node_modules/react-scripts

Steps to Reproduce:

  1. Updated to the latest version of react-scripts.
  2. Ran npm audit, revealing the vulnerability issue related to nth-check.
  3. Attempted to manually update dependencies and force resolutions.
  4. Checked again with npm audit, but the vulnerability warning persisted.

Expected Behavior: The dependencies, especially nth-check, should be up-to-date, ensuring no vulnerabilities when executing npm audit.

Additional Context: I made attempts to resolve this by updating individual packages and also using the npm-force-resolutions package. Unfortunately, the vulnerability continues to persist.

Seeking guidance or a potential fix for this vulnerability. Thank you for your assistance!

OlivierMartineau commented 11 months ago

See this comment, it's important. https://github.com/facebook/create-react-app/issues/13062#issuecomment-1474189236

If you consider migrating, check this article: https://cathalmacdonnacha.com/migrating-from-create-react-app-cra-to-vite

If you really need to fix this warning, you can declare in your dependencies

"dependencies": {
    "nth-check": "^2.1.1"
}

and at the end of your package.json

"overrides": {
    "nth-check": "$nth-check"
}
palyvodaBoi commented 2 months ago

It doesn't work for me :( Seems like it's time to migrate to Vite

Senior-Ori commented 2 months ago

It doesn't work for me :( Seems like it's time to migrate to Vite

i added this:

  "dependencies": {
    "react-scripts": "^5.0.1",
    "web-vitals": "^2.1.4",
    "nth-check": "^2.1.1"
  },
  "overrides": {
    "nth-check": "^2.1.1",
    "postcss":"^8.4.38"
  }

and after that i have entered npm update, hope it helped you :)

tariv2012 commented 2 months ago

It doesn't work for me :( Seems like it's time to migrate to Vite

i added this:

  "dependencies": {
    "react-scripts": "^5.0.1",
    "web-vitals": "^2.1.4",
    "nth-check": "^2.1.1"
  },
  "overrides": {
    "nth-check": "^2.1.1",
    "postcss":"^8.4.38"
  }

and after that i have entered npm update, hope it helped you :)

Thanks for this info, helps me to remove Snyk scanning issue on the nth-check

tuanhuynh77 commented 1 month ago

Maybe, the problem may be due to the lack of permission to using new version, so re-installation libs and requires overwrite of the existing version (registed in dependencies list)

npm i postcss

npm i nth-check

and, add the code to end of package.json file: "overrides": { "nth-check": "$nth-check", "postcss": "$postcss" }

Thats help for me, after update node to v22.3.0 and, react-scripts: 5.0.1