Open PrathapKaraka opened 2 months ago
I am using these overrides
and have 0 vulnerablities (sep 11 2024)
"overrides": {
"body-parser": "1.20.3",
"nth-check": ">=2.0.2",
"serve-static": "2.1.0",
"postcss": ">=8.4.31"
},
See my full package.json
at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson
I am using these
overrides
and have 0 vulnerablities (sep 11 2024)"overrides": { "body-parser": "1.20.3", "nth-check": ">=2.0.2", "serve-static": "2.1.0", "postcss": ">=8.4.31" },
See my full
package.json
at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson
Do you have a suggested override to fix https://github.com/advisories/GHSA-gcx4-mw62-g8wm?
For now, this is my overrides list in packages.json
:
"overrides": {
"svgo": {
"nth-check": ">=2.0.2"
},
"react-scripts": {
"postcss": ">=8.4.31",
"workbox-webpack-plugin": ">=7.1.0"
},
"workbox-build": {
"rollup": ">=3.29.5"
},
"@rollup/plugin-babel": {
"rollup": ">=3.29.5"
},
"@rollup/plugin-replace": {
"rollup": ">=3.29.5"
}
},
I haven't seen any obvious breakages, but please test this before blindly using it in prod.
I am encountering a persistent vulnerability issue with react-scripts related to the nth-check package in our prismacloudscan.
Despite making multiple attempts to update the dependencies manually and exploring various resolutions, the vulnerability warning remains.
Node JS version: we tried all possible node versions like node v16.20.2,v18.90, v19.81. and v20.16.0. React version : 18.2.0
Methods we tried to fix the issue.
1) we are using latest react-scripts verison : 5.0.1, 2) we manually installed latest version of postcss and nth-check 3) we tried to override both dependencies in package.json "overrides": { "react-scripts": { "postcss":"8.4.31", "nth-check":"2.0.1" } } and
"overrides": { "postcss":"8.4.31", "nth-check":"2.0.1" }
we tried nth-check latest version 2.1.1 in overrides and 8.4.45.
we tried npm audit and got following results :
nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via
npm audit fix --force
Will install react-scripts@3.0.1, which is a breaking change node_modules/svgo/node_modules/css-select/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of resolve-url-loader node_modules/react-scriptspostcss <8.4.31 Severity: moderate PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j fix available via
npm audit fix --force
Will install react-scripts@3.0.1, which is a breaking change node_modules/resolve-url-loader/node_modules/postcss resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0 Depends on vulnerable versions of postcss node_modules/resolve-url-loaderrequest Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie fix available via
npm audit fix --force
Will install jest@29.7.0, which is a breaking change node_modules/request jsdom 0.1.20 || 0.2.0 - 16.5.3 Depends on vulnerable versions of request Depends on vulnerable versions of request-promise-native Depends on vulnerable versions of tough-cookie node_modules/zem/node_modules/jsdom jest-environment-jsdom 10.0.2 - 25.5.0 Depends on vulnerable versions of jsdom node_modules/zem/node_modules/jest-environment-jsdom request-promise-core Depends on vulnerable versions of request node_modules/request-promise-core request-promise-native >=1.0.0 Depends on vulnerable versions of request Depends on vulnerable versions of request-promise-core Depends on vulnerable versions of tough-cookie node_modules/request-promise-nativenow, we tried npm audit fix --force Still issue not resolved, please update react-scripts dependency it was updated 2 years ago