facebook / create-react-app

Set up a modern web app by running one command.
https://create-react-app.dev
MIT License
102.81k stars 26.88k forks source link

Vulnerability Issues with postcss and nth-check in react-scripts Dependencies #13671

Open PrathapKaraka opened 2 months ago

PrathapKaraka commented 2 months ago

I am encountering a persistent vulnerability issue with react-scripts related to the nth-check package in our prismacloudscan.

Despite making multiple attempts to update the dependencies manually and exploring various resolutions, the vulnerability warning remains.

Node JS version: we tried all possible node versions like node v16.20.2,v18.90, v19.81. and v20.16.0. React version : 18.2.0

Methods we tried to fix the issue.

1) we are using latest react-scripts verison : 5.0.1, 2) we manually installed latest version of postcss and nth-check 3) we tried to override both dependencies in package.json "overrides": { "react-scripts": { "postcss":"8.4.31", "nth-check":"2.0.1" } } and

"overrides": { "postcss":"8.4.31", "nth-check":"2.0.1" }

we tried nth-check latest version 2.1.1 in overrides and 8.4.45.

we tried npm audit and got following results :

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install react-scripts@3.0.1, which is a breaking change node_modules/svgo/node_modules/css-select/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of resolve-url-loader node_modules/react-scripts

postcss <8.4.31 Severity: moderate PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j fix available via npm audit fix --force Will install react-scripts@3.0.1, which is a breaking change node_modules/resolve-url-loader/node_modules/postcss resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0 Depends on vulnerable versions of postcss node_modules/resolve-url-loader

request Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie fix available via npm audit fix --force Will install jest@29.7.0, which is a breaking change node_modules/request jsdom 0.1.20 || 0.2.0 - 16.5.3 Depends on vulnerable versions of request Depends on vulnerable versions of request-promise-native Depends on vulnerable versions of tough-cookie node_modules/zem/node_modules/jsdom jest-environment-jsdom 10.0.2 - 25.5.0 Depends on vulnerable versions of jsdom node_modules/zem/node_modules/jest-environment-jsdom request-promise-core Depends on vulnerable versions of request node_modules/request-promise-core request-promise-native >=1.0.0 Depends on vulnerable versions of request Depends on vulnerable versions of request-promise-core Depends on vulnerable versions of tough-cookie node_modules/request-promise-native

now, we tried npm audit fix --force Still issue not resolved, please update react-scripts dependency it was updated 2 years ago

Sean-Bradley commented 2 months ago

I am using these overrides and have 0 vulnerablities (sep 11 2024)

"overrides": {
    "body-parser": "1.20.3",
    "nth-check": ">=2.0.2",
    "serve-static": "2.1.0",
    "postcss": ">=8.4.31"
  },

See my full package.json at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson

qwertychouskie commented 2 months ago

I am using these overrides and have 0 vulnerablities (sep 11 2024)

"overrides": {
    "body-parser": "1.20.3",
    "nth-check": ">=2.0.2",
    "serve-static": "2.1.0",
    "postcss": ">=8.4.31"
  },

See my full package.json at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson

Do you have a suggested override to fix https://github.com/advisories/GHSA-gcx4-mw62-g8wm?

qwertychouskie commented 2 months ago

For now, this is my overrides list in packages.json:

  "overrides": {
    "svgo": {
      "nth-check": ">=2.0.2"
    },
    "react-scripts": {
      "postcss": ">=8.4.31",
      "workbox-webpack-plugin": ">=7.1.0"
    },
    "workbox-build": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-babel": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-replace": {
      "rollup": ">=3.29.5"
    }
  },

I haven't seen any obvious breakages, but please test this before blindly using it in prod.