Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit failure (high severity) due to dns-packet #11007

Closed
entorenee opened this issue May 24, 2021 · 8 comments
Closed

npm audit failure (high severity) due to dns-packet #11007

entorenee opened this issue May 24, 2021 · 8 comments
Labels
issue: bug report needs triage

Comments

@entorenee
Copy link

Describe the bug

npm audit currently fails on react-scripts@4.0.3 due to a high security vulnerability in dns-packet. The dependency path is react-scripts > webpack-dev-server > bonjour > multicast-dns > dns-packet. The respective npm advisory is at https://www.npmjs.com/advisories/1745.

Screenshot of the particular audit failure.

Screen Shot 2021-05-24 at 1 27 52 PM

Steps to reproduce

  1. Run npm audit on react-scripts@4.0.3
  2. Try to run npm audit fix
  3. Confirm that the fix was not auto resolved.

Expected behavior

npm audit can exit successfuly.

Actual behavior

npm audit fails
@Ryan-Koch Ryan-Koch mentioned this issue May 24, 2021
Merged
12 tasks
@Primajin
Copy link
Contributor

Yeah there are currently 8 Issues via dependencies: https://snyk.io/test/npm/react-scripts/4.0.3
This other high severity issue is via lodash.template - I hope we can fix these issues asap 🤞🏻

@stahlmanDesign stahlmanDesign mentioned this issue May 25, 2021
Closed
@stahlmanDesign
Copy link

Yeah there are currently 8 Issues via dependencies: https://snyk.io/test/npm/react-scripts/4.0.3
This other high severity issue is via lodash.template - I hope we can fix these issues asap 🤞🏻

Luckily the lodash patch can be fixed with npm audit fix, whereas the dns-packet issue cannot (a more complex dependency?). So the dns-packet fix is more urgent, although yes would be nice to get all the patches if it doesn't slow down the release

@stahlmanDesign
Copy link

npm audit fix now updates dns-packet #11012 (comment)

@Primajin
Copy link
Contributor

I can confirm that npm audit fix fixes the high severity issue with dns-packet.
However there are still 80 moderate vulnerabilities though.

@indignant indignant mentioned this issue Jun 3, 2021
Closed
@Koonstaantiin
Copy link

Could you suggest please how to fix this error with yarn?

@ShugKnight24 ShugKnight24 mentioned this issue Jun 11, 2021
Open
@MengRS
Copy link

MengRS commented Jun 21, 2021
edited

Yeah there are currently 8 Issues via dependencies: https://snyk.io/test/npm/react-scripts/4.0.3
This other high severity issue is via lodash.template - I hope we can fix these issues asap 🤞🏻

Luckily the lodash patch can be fixed with npm audit fix, whereas the dns-packet issue cannot (a more complex dependency?). So the dns-packet fix is more urgent, although yes would be nice to get all the patches if it doesn't slow down the release

@stahlmanDesign - npm audit fix does not fix the lodash.template issue for me in snyk... can you confirm it did for you?

using snyk:
image

@stahlmanDesign
Copy link

npm-audit-output.txt
@MengRS See my npm audit output. Found 10 vulnerabilities (1 low, 5 moderate, 4 high), no lodash issues

@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

Please see #11174.

@gaearon gaearon closed this as completed Jul 2, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 2, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gaearon @stahlmanDesign @Primajin @Koonstaantiin @MengRS @entorenee