search

stanleyowen / otlio

An open source project of Todo which is easy to use and easy to organize!
https://otlio.netlify.app
MIT License
23 stars 3 forks source link

Received Vulnerabilities after Run `npm install` Command #218

Open stanleyowen opened 3 years ago

stanleyowen commented 3 years ago

Describe the bug In client side after running npm install command, I received 96 vulnerabilities (85 moderate, 11 high). Any solutions to this problem?

To Reproduce Steps to reproduce the behavior:

  1. Open cmd and change directory to client
  2. Run npm install to download all necessary dependency
  3. See error

Screenshots Received Vulnerabilities after Run npm install Command

Desktop (please complete the following information):

stanleyowen commented 3 years ago

Here are the details of vulnerabilities:

# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of css-loader
    Depends on vulnerable versions of mini-css-extract-plugin        
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/svgo/node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/svgo/node_modules/css-select
    svgo  >=1.0.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  *
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  >=4.0.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=0.10.0-alpha.328cb32e
          Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of css-loader
          Depends on vulnerable versions of mini-css-extract-plugin  
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of resolve-url-loader       
          Depends on vulnerable versions of webpack-dev-server       
          node_modules/react-scripts
      postcss-svgo  >=4.0.0-nightly.2020.1.9
      Depends on vulnerable versions of postcss
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar
    node_modules/webpack-dev-server
      @pmmmwh/react-refresh-webpack-plugin  0.3.1 - 0.5.0-beta.4     
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@pmmmwh/react-refresh-webpack-plugin
        react-scripts  >=0.10.0-alpha.328cb32e
        Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
        Depends on vulnerable versions of @svgr/webpack
        Depends on vulnerable versions of css-loader
        Depends on vulnerable versions of mini-css-extract-plugin    
        Depends on vulnerable versions of react-dev-utils
        Depends on vulnerable versions of resolve-url-loader
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts

normalize-url  <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/normalize-url
node_modules/postcss-normalize-url/node_modules/normalize-url        
  mini-css-extract-plugin  0.6.0 - 1.0.0
  Depends on vulnerable versions of normalize-url
  node_modules/mini-css-extract-plugin
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of css-loader
    Depends on vulnerable versions of mini-css-extract-plugin        
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts
  postcss-normalize-url  <=4.0.1
  Depends on vulnerable versions of normalize-url
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-url
    cssnano-preset-default  <=4.0.8
    Depends on vulnerable versions of css-declaration-sorter
    Depends on vulnerable versions of cssnano-util-raw-cache
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-normalize-url
    node_modules/cssnano-preset-default

postcss  7.0.0 - 7.0.35 || 8.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
  autoprefixer  9.0.0 - 9.8.6
  Depends on vulnerable versions of postcss
  node_modules/autoprefixer
  css-blank-pseudo  *
  Depends on vulnerable versions of postcss
  node_modules/css-blank-pseudo
  css-declaration-sorter  4.0.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/css-declaration-sorter
    cssnano-preset-default  <=4.0.8
    Depends on vulnerable versions of css-declaration-sorter
    Depends on vulnerable versions of cssnano-util-raw-cache
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-normalize-url
    node_modules/cssnano-preset-default
  css-has-pseudo  *
  Depends on vulnerable versions of postcss
  node_modules/css-has-pseudo
    postcss-preset-env  >=6.0.0
    Depends on vulnerable versions of css-has-pseudo
    Depends on vulnerable versions of css-prefers-color-scheme       
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-color-gray
    Depends on vulnerable versions of postcss-double-position-gradients
    node_modules/postcss-preset-env
  css-loader  2.0.0 - 4.3.0
  Depends on vulnerable versions of postcss
  node_modules/css-loader
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of css-loader
    Depends on vulnerable versions of mini-css-extract-plugin        
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts
  css-prefers-color-scheme  *
  Depends on vulnerable versions of postcss
  node_modules/css-prefers-color-scheme
  cssnano  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11     
  Depends on vulnerable versions of postcss
  node_modules/cssnano
    optimize-css-assets-webpack-plugin  3.2.1 || 5.0.2 - 5.0.6       
    Depends on vulnerable versions of cssnano
    node_modules/optimize-css-assets-webpack-plugin
  cssnano-util-raw-cache  >=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/cssnano-util-raw-cache
  icss-utils  4.0.0 - 4.1.1
  Depends on vulnerable versions of postcss
  node_modules/icss-utils
    postcss-modules-local-by-default  2.0.0 - 4.0.0-rc.4
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-local-by-default
    postcss-modules-values  2.0.0 - 4.0.0-rc.5
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-values
  postcss-attribute-case-insensitive  4.0.0 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-attribute-case-insensitive
  postcss-browser-comments  2.0.0 - 3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-browser-comments
    postcss-normalize  7.0.0 - 9.0.0
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-browser-comments       
    node_modules/postcss-normalize
  postcss-calc  6.0.2 - 7.0.5
  Depends on vulnerable versions of postcss
  node_modules/postcss-calc
  postcss-color-functional-notation  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-functional-notation
  postcss-color-gray  >=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-gray
  postcss-color-hex-alpha  4.0.0 - 6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-hex-alpha
  postcss-color-mod-function  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-mod-function
  postcss-color-rebeccapurple  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-rebeccapurple
  postcss-colormin  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-colormin
  postcss-convert-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-convert-values
  postcss-custom-media  7.0.0 - 7.0.8
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-media
  postcss-custom-properties  8.0.0 - 10.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-properties
  postcss-custom-selectors  5.0.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-selectors
  postcss-dir-pseudo-class  >=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-dir-pseudo-class
  postcss-discard-comments  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-comments
  postcss-discard-duplicates  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 
4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-duplicates
  postcss-discard-empty  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-empty
  postcss-discard-overridden  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 
4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-overridden
  postcss-double-position-gradients  *
  Depends on vulnerable versions of postcss
  node_modules/postcss-double-position-gradients
  postcss-env-function  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-env-function
  postcss-flexbugs-fixes  4.0.0 - 4.2.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-flexbugs-fixes
  postcss-focus-visible  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-focus-visible
  postcss-focus-within  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-focus-within
  postcss-font-variant  4.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-font-variant
  postcss-gap-properties  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-gap-properties
  postcss-image-set-function  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-image-set-function
  postcss-initial  3.0.0 - 3.0.4
  Depends on vulnerable versions of postcss
  node_modules/postcss-initial
  postcss-lab-function  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-lab-function
  postcss-loader  3.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-loader
  postcss-logical  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-logical
  postcss-media-minmax  4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-media-minmax
  postcss-merge-longhand  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-longhand
  postcss-merge-rules  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-rules
  postcss-minify-font-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 
4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-font-values
  postcss-minify-gradients  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-gradients
  postcss-minify-params  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-params
  postcss-minify-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-selectors
  postcss-modules-extract-imports  2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-extract-imports
  postcss-modules-scope  2.0.0 - 2.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope
  postcss-nesting  7.0.0 - 7.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-nesting
  postcss-normalize-charset  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-charset
  postcss-normalize-display-values  <=4.0.0-rc.2 || 4.0.1 - 4.0.2    
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-display-values
  postcss-normalize-positions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-positions
  postcss-normalize-repeat-style  <=4.0.0-rc.2 || 4.0.1 - 4.0.2      
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-repeat-style
  postcss-normalize-string  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-string
  postcss-normalize-timing-functions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2  
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-timing-functions
  postcss-normalize-unicode  <=4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-unicode
  postcss-normalize-url  <=4.0.1
  Depends on vulnerable versions of normalize-url
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-url
  postcss-normalize-whitespace  <=4.0.0-rc.2 || 4.0.1 - 4.0.2        
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-whitespace
  postcss-ordered-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-ordered-values
  postcss-overflow-shorthand  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-overflow-shorthand
  postcss-page-break  2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-page-break
  postcss-place  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-place
  postcss-pseudo-class-any-link  >=6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-pseudo-class-any-link
  postcss-reduce-initial  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-initial
  postcss-reduce-transforms  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-transforms
  postcss-replace-overflow-wrap  3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-replace-overflow-wrap
  postcss-selector-matches  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-selector-matches
  postcss-selector-not  4.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-selector-not
  postcss-svgo  >=4.0.0-nightly.2020.1.9
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of svgo
  node_modules/postcss-svgo
  postcss-unique-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-unique-selectors
  resolve-url-loader  3.0.1 - 4.0.0-beta.2
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader
  stylehacks  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3   
  Depends on vulnerable versions of postcss
  node_modules/stylehacks

96 vulnerabilities (85 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
stanleyowen commented 3 years ago

I have just recently update all the dependencies and push it to the v0.5.7 branch (211b85f0ea2c4f465cf417e13995d4c47f4883f8). I will soon working to fix the rest of 24 vulnerabilities (11 moderate, 13 high).

Here is the latest Audit Report:

# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of mini-css-extract-plugin        
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/svgo/node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/svgo/node_modules/css-select
    svgo  >=1.0.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  *
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  >=4.0.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=0.10.0-alpha.328cb32e
          Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of mini-css-extract-plugin  
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of resolve-url-loader       
          Depends on vulnerable versions of webpack-dev-server       
          node_modules/react-scripts
      postcss-svgo  >=4.0.0-nightly.2020.1.9
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  *
        Depends on vulnerable versions of postcss-normalize-url      
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default   
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.6
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar
    node_modules/webpack-dev-server
      @pmmmwh/react-refresh-webpack-plugin  0.3.1 - 0.5.0-beta.4     
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@pmmmwh/react-refresh-webpack-plugin
        react-scripts  >=0.10.0-alpha.328cb32e
        Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
        Depends on vulnerable versions of @svgr/webpack
        Depends on vulnerable versions of mini-css-extract-plugin    
        Depends on vulnerable versions of react-dev-utils
        Depends on vulnerable versions of resolve-url-loader
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts

normalize-url  <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/normalize-url
node_modules/postcss-normalize-url/node_modules/normalize-url        
  mini-css-extract-plugin  0.6.0 - 1.0.0
  Depends on vulnerable versions of normalize-url
  node_modules/mini-css-extract-plugin
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of mini-css-extract-plugin        
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts
  postcss-normalize-url  <=4.0.1
  Depends on vulnerable versions of normalize-url
  node_modules/postcss-normalize-url
    cssnano-preset-default  *
    Depends on vulnerable versions of postcss-normalize-url
    Depends on vulnerable versions of postcss-svgo
    node_modules/cssnano-preset-default
      cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
      Depends on vulnerable versions of cssnano-preset-default       
      node_modules/cssnano
        optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.6   
        Depends on vulnerable versions of cssnano
        node_modules/optimize-css-assets-webpack-plugin

postcss  7.0.0 - 7.0.35 || 8.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  3.0.1 - 4.0.0-beta.2
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack
    Depends on vulnerable versions of mini-css-extract-plugin        
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of resolve-url-loader
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

24 vulnerabilities (11 moderate, 13 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
stanleyowen commented 3 years ago

We have fixed some vulnerabilities In the latest commit, which was pushed to the master branch (aebffa01cd100916c2b8ec7c5397f79ac1cda746) recently. To summarize it in details, there are still 22 vulnerabilities (9 moderate, 13 high) and we will soon working to solve these vulnerabilities.

Here is the latest Audit Report:

# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist     
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack  
    Depends on vulnerable versions of mini-css-extract-plugin
    Depends on vulnerable versions of react-dev-utils    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/svgo/node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/svgo/node_modules/css-select
    svgo  >=1.0.0
    Depends on vulnerable versions of css-select     
    node_modules/svgo
      @svgr/plugin-svgo  *
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  >=4.0.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=0.10.0-alpha.328cb32e     
          Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of mini-css-extract-plugin
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
      postcss-svgo  >=4.0.0-nightly.2020.1.9
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  *
        Depends on vulnerable versions of postcss-normalize-url
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11   
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano            node_modules/optimize-css-assets-webpack-plugin

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent      
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar       
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack  
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar       
    node_modules/webpack-dev-server
      @pmmmwh/react-refresh-webpack-plugin  0.3.1 - 0.5.0-beta.4
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@pmmmwh/react-refresh-webpack-plugin
        react-scripts  >=0.10.0-alpha.328cb32e       
        Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
        Depends on vulnerable versions of @svgr/webpack
        Depends on vulnerable versions of mini-css-extract-plugin
        Depends on vulnerable versions of react-dev-utils
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts

normalize-url  <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0     
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change
node_modules/normalize-url
node_modules/postcss-normalize-url/node_modules/normalize-url
  mini-css-extract-plugin  0.6.0 - 1.0.0
  Depends on vulnerable versions of normalize-url    
  node_modules/mini-css-extract-plugin
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack  
    Depends on vulnerable versions of mini-css-extract-plugin
    Depends on vulnerable versions of react-dev-utils    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts
  postcss-normalize-url  <=4.0.1
  Depends on vulnerable versions of normalize-url    
  node_modules/postcss-normalize-url
    cssnano-preset-default  *
    Depends on vulnerable versions of postcss-normalize-url
    Depends on vulnerable versions of postcss-svgo   
    node_modules/cssnano-preset-default
      cssnano  4.0.0-nightly.2020.1.9 - 4.1.11       
      Depends on vulnerable versions of cssnano-preset-default
      node_modules/cssnano
        optimize-css-assets-webpack-plugin  3.2.1 || 
5.0.0 - 5.0.8
        Depends on vulnerable versions of cssnano    
        node_modules/optimize-css-assets-webpack-plugin

22 vulnerabilities (9 moderate, 13 high)

To address issues that do not require attention, run:  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
stanleyowen commented 3 years ago

In the latest commit on the v0.5.8 branch - 7a5631b7f0a75d148a5e3542c671f5a517113ff1, we have successfully solve some vulnerabilities and there are 19 vulnerabilities (9 moderate, 10 high) remaining and we will soon working to solve these vulnerabilities.

Here is the latest Audit Report:

# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking 
change
node_modules/react-dev-utils/node_modules/browserslist  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist      
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of @svgr/webpack   
    Depends on vulnerable versions of react-dev-utils 
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754 
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking 
change
node_modules/svgo/node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 2.3.0
    Depends on vulnerable versions of css-select      
    node_modules/svgo
      @svgr/plugin-svgo  *
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  >=4.0.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=0.10.0-alpha.328cb32e      
          Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of react-dev-utils
          Depends on vulnerable versions of webpack-dev-server
          node_modules/react-scripts
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11    
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 
|| 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano 
            node_modules/optimize-css-assets-webpack-plugin

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking 
change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent       
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar        
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack   
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar        
    node_modules/webpack-dev-server
      @pmmmwh/react-refresh-webpack-plugin  0.3.1 - 0.5.0-beta.4
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@pmmmwh/react-refresh-webpack-plugin
        react-scripts  >=0.10.0-alpha.328cb32e        
        Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
        Depends on vulnerable versions of @svgr/webpack
        Depends on vulnerable versions of react-dev-utils
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts

19 vulnerabilities (9 moderate, 10 high)

To address issues that do not require attention, run: 
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
stanleyowen commented 3 years ago

After working for some period of times, we have successfully fixed all high vulnerabilities in the latest commit on v0.5.9 branch - 4ebe81b568aa8348883c5bc69071301dc1a4d6b8. Note that we will continue to fix the remaining 10 moderate severity vulnerabilities. The latest audit report details:

# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking 
change
node_modules/react-dev-utils/node_modules/browserslist  react-dev-utils  >=6.0.0-next.03604a46
  Depends on vulnerable versions of browserslist      
  node_modules/react-dev-utils
    react-scripts  >=0.10.0-alpha.328cb32e
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    Depends on vulnerable versions of react-dev-utils 
    Depends on vulnerable versions of webpack-dev-server
    node_modules/react-scripts

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking 
change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent       
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar        
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack   
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar        
    node_modules/webpack-dev-server
      @pmmmwh/react-refresh-webpack-plugin  0.3.1 - 0.5.0-beta.4
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@pmmmwh/react-refresh-webpack-plugin
        react-scripts  >=0.10.0-alpha.328cb32e        
        Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
        Depends on vulnerable versions of react-dev-utils
        Depends on vulnerable versions of webpack-dev-server
        node_modules/react-scripts

10 moderate severity vulnerabilities

To address issues that do not require attention, run: 
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force