search

tawk / tawk-messenger-react

Official React plugin for Tawk messenger
https://www.tawk.to
Other
23 stars 15 forks source link

react-scripts dependancies #20

Closed creativeindustriesgroup closed 1 year ago

creativeindustriesgroup commented 1 year ago

Hello,

Installing this library in my React App gives me high severity vulnerability warnings:

% npm audit --production

npm audit report

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr No fix available node_modules/svgo/node_modules/nth-check ├── css-select <=3.1.0 ├── Depends on vulnerable versions of nth-check └── node_modules/svgo/node_modules/css-select ├── svgo 1.0.0 - 1.3.2 ├── Depends on vulnerable versions of css-select └── node_modules/svgo ├── @svgr/plugin-svgo <=5.5.0 ├── Depends on vulnerable versions of svgo └── node_modules/@svgr/plugin-svgo ├── @svgr/webpack 4.0.0 - 5.5.0 ├── Depends on vulnerable versions of @svgr/plugin-svgo └── node_modules/@svgr/webpack ├── react-scripts >=2.1.4 ├── Depends on vulnerable versions of @svgr/webpack └── node_modules/react-scripts ├── @tawk.to/tawk-messenger-react * ├── Depends on vulnerable versions of react-scripts └── node_modules/@tawk.to/tawk-messenger-react

7 high severity vulnerabilities

My application is running on react-scripts 5.0.1 and this error does not happen when I uninstall Tawk.to

creativeindustriesgroup commented 1 year ago

Thanks for looking into this @jafin. Unfortunately I'm still having the same issue following the update.

npm install @tawk.to/tawk-messenger-react

added 1 package, and audited 1588 packages in 5s

7 high severity vulnerabilities
npm audit --production

# npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
No fix available
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts
            @tawk.to/tawk-messenger-react  *
            Depends on vulnerable versions of react-scripts
            node_modules/@tawk.to/tawk-messenger-react

7 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.