Skip to content

**There are no actual vulnerabilities here.** CRA 4.0.3, package dev dependency #11461

New issue
New issue
Closed
Closed
**There are no actual vulnerabilities here.** CRA 4.0.3, package dev dependency#11461
Labels
issue: bug reportneeds triage
@NickCarducci

Description

@NickCarducci
NickCarducci
opened on Sep 19, 2021

releasing CRA 5 to the public may fix this issue

Environment

npx create-react-app --info

Environment Info:

  current version of create-react-app: 4.0.3
  running from /home/sandbox/.npm/_npx/850/lib/node_modules/create-react-app

  System:
    OS: Linux 5.4 Debian GNU/Linux 10 (buster) 10 (buster)
    CPU: (12) x64 Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz
  Binaries:
    Node: 14.17.6 - ~/.nvm/versions/node/v14.17.6/bin/node
    Yarn: 1.22.11 - ~/.nvm/versions/node/v14.17.6/bin/yarn
    npm: 6.14.15 - ~/.nvm/versions/node/v14.17.6/bin/npm
  Browsers:
    Chrome: Not Found
    Firefox: Not Found
  npmPackages:
    react: 17.0.2 => 17.0.2
    react-dom: 17.0.2 => 17.0.2
    react-scripts: ^4.0.3 => 4.0.3
  npmGlobalPackages:
    create-react-app: Not Found

Steps to reproduce

https://codesandbox.io/s/inspiring-driscoll-v5fmc
works in the codesandbox's environment, but not as a github repository to netlify with codesandbox's hidden preinstall process (npm force-resolutions?)

Expected behavior

There are no actual vulnerabilities here.

Unfortunately, npm audit has no idea that these packages are development-only dependencies. From what I can tell, none of these "vulnerabilities" actually affect your application (or even development machine) in any way.

This is pure security theater. Which is unfortunate, because it teaches people to ignore real vulnerabilities (which these are not, in the context of how they're used in CRA).

Originally posted by @gaearon in #11012 (comment)

Actual behavior

How are they used in CRA, for a package of a package?

"node-fetch": "2.6.2" is failing to be resolved because the pouchdb volunteers are busy, &/or they are sticklers for the advisory https://www.npmjs.com/advisories/1556, or they haven't noticed it:
pouchdb/pouchdb#8281 (comment)
I'll try npm force-resolutions

12:26:03 PM: # npm audit report
12:26:03 PM: browserslist  4.0.0 - 4.16.4
...
12:26:03 PM: Will install react-scripts@1.1.5, which is a breaking change
...
12:26:03 PM:   react-dev-utils  >=6.0.0-next.03604a46
12:26:03 PM:   Depends on vulnerable versions of browserslist
12:26:03 PM:   node_modules/react-dev-utils
12:26:03 PM:     react-scripts  >=0.10.0-alpha.328cb32e
...
12:26:03 PM: glob-parent  <5.1.2
12:26:03 PM: Severity: moderate
12:26:03 PM: Regular expression denial of service - https://npmjs.com/advisories/1751
12:26:03 PM: fix available via `npm audit fix --force`
12:26:03 PM: Will install react-scripts@1.1.5, which is a breaking change
12:26:03 PM: node_modules/webpack-dev-server/node_modules/glob-parent
12:26:03 PM:   chokidar  1.0.0-rc1 - 2.1.8
...
12:26:03 PM:   node_modules/webpack-dev-server/node_modules/chokidar
12:26:03 PM:     webpack-dev-server  2.0.0-beta - 3.11.2
...
12:26:03 PM:       node_modules/@pmmmwh/react-refresh-webpack-plugin
12:26:03 PM:         react-scripts  >=0.10.0-alpha.328cb32e
...
12:26:03 PM:         node_modules/react-scripts
12:26:03 PM: node-fetch  <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
12:26:03 PM: Denial of Service - https://npmjs.com/advisories/1556
12:26:03 PM: No fix available
12:26:03 PM: node_modules/pouchdb/node_modules/node-fetch
12:26:03 PM:   pouchdb  >=7.1.0
12:26:03 PM:   Depends on vulnerable versions of node-fetch
12:26:03 PM:   node_modules/pouchdb

Metadata

Metadata

Assignees

No one assigned

    Labels

    issue: bug reportneeds triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions