Fix react-scripts vulnerabilities

[faroscore]

There are a new high vulnerability with Memory Exposure that appears in nested dependency dns-packet (https://npmjs.com/advisories/1745) and moderate vulnerability with Regular Expression Denial of Service that appears in nested dependency browserslist (https://npmjs.com/advisories/1747)

[Bismarck-GM]

Same as @faroscore. Most of my warnings coming from react-scripts package dependencies. Any update soon?

[croraf]

The problem is this bonjour that hasn't been updated last 5 years :O . watson/bonjour#63 the issue on bonjor has been opened today.

react-dev-utils package should update "browserslist" dependency though.

[mvmories]

Same as the above comments. Looking forward for some updates

[IevgeniiK-AVISPL]

Same situation...

[stahlmanDesign]

Same as #11007

[ritikasib]

facing same issue with postcss vulnerabilities as well

[Anacrius]

Having the same problems with dns-packet and postcss

[jp94]

My understanding is that dns-packet@1.3.3 has the patch, and we are waiting on the advisory to update? I did a fresh npm install today, and package-lock shows dns-packet@1.3.4.

mafintosh/multicast-dns#75

[cogrod17]

Same problems here. Browserslist, postcss, and dns-packet. Uninstalling react-scripts gets rid of the vulnerabilities (of course not a solution).

[juanpedropuig]

Same problem here #11012, waiting for some update

[croraf]

dns-packet should be fixed within that library now. Run "audit fix" to fix it.

[gregmarr]

See also #10928 and and the PRs #10135 and #10697

[Primajin]

I can confirm that npm audit fix fixes the high severity issue with dns-packet.
However there are still 80 moderate vulnerabilities though.

[dbouchierarcad]

I'm waiting the new version of react-script to fix vulnerabilities. I have 80 moderate vulnerabilities linked to postcss dependencies, if you look the git project the package.json are modified with last vesion of postcss, but not in npm for the moment. To fix high vulnerabilities dns-packet i edited my package.json project with this :
"resolutions": {
"underscore": "^1.13.1",
"dns-packet": "^5.2.2"
}

[arwanfiles]

same here...

[jemu51]

same here
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=8.2.10 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > postcss-preset-env > postcss-selector-not > │
│ │ postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1693 │
└───────────────┴──────────────────────────────────────────────────────────────┘

[bsubba]

I am also waiting for this fix

[Raynesz]

This requires more attention. I currently have 87 vulnerable packages in react-scripts.

[pierre-H]

This requires more attention. I currently have 87 vulnerable packages in react-scripts.

I totally agree

[klipitkas]

102 vulnerabilities (86 moderate, 16 high)

[wshihdehx]

Yea this needs to be fixed.

[croraf]

npm audit fix leaves only 5 moderate and 5 high at the moment.

[felkeM]

I get the same issue too.

npm audit report

browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1747
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils >=6.0.0-next.03604a46
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts

css-what <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/svgo/node_modules/css-what
css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 2.3.0
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo *
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack >=4.0.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo

glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/webpack-dev-server
@pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4
Depends on vulnerable versions of webpack-dev-server
node_modules/@pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts

normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via npm audit fix --force
Will install react-scripts@1.1.5, which is a breaking change
node_modules/normalize-url
node_modules/postcss-normalize-url/node_modules/normalize-url
mini-css-extract-plugin 0.6.0 - 1.0.0
Depends on vulnerable versions of normalize-url
node_modules/mini-css-extract-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of mini-css-extract-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
postcss-normalize-url <=4.0.1
Depends on vulnerable versions of normalize-url
node_modules/postcss-normalize-url
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-normalize-url
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin

22 vulnerabilities (9 moderate, 13 high)

[jindong-zhang-git]

118 Moderate | 5 High

[rhalaly]

These vulnerabilities have been around for a long time. Is there any plan to fix them??

[pierre-H]

This problem is very serious and makes me consider using Svelte.

Please @gaearon @Timer : could you please give us some news ...

[ghost]

Ongoing -- I hope there is a fix :)
#11092 (comment)

[AndreGCRamos]

A fix for this would be great 🙏

[gaearon]

There are no actual vulnerabilities here.

Unfortunately, npm audit has no idea that these packages are development-only dependencies. From what I can tell, none of these "vulnerabilities" actually affect your application (or even development machine) in any way.

This is pure security theater. Which is unfortunate, because it teaches people to ignore real vulnerabilities (which these are not, in the context of how they're used in CRA).

Yes, it would be good to cut a patch to remove the warnings, but we are all unfortunately wasting time here.

[gaearon]

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To remove npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.