Snyk Vulnerabilities on react-scripts@5.0.1

[velsonjr]

When our application was run through Snyk recently, We found couple of vulnerabilities. The details are as follows

Regular Expression Denial of Service (ReDoS) (High Severity)
Package Manager: npm
Vulnerable module: nth-check
Paths : react-scripts@5.0.1 › @svgr/webpack@5.5.0 › @svgr/plugin-svgo@5.5.0 › svgo@1.3.2 › css-select@2.1.0
› nth-check@1.0.2

MPL-2.0 license ( Medium Severity)
Package Manager: npm
Module: axe-core
Paths : react-scripts@5.0.1 › eslint-config-react-app@7.0.1 › eslint-plugin-jsx-a11y@6.5.1 › axe-core@4.4.1

Denial of Service (DoS) ( Medium Severity)
Package Manager: npm
Vulnerable module: nwsapi
Paths: react-scripts@5.0.1 › jest@27.5.1 › @jest/core@27.5.1 › jest-config@27.5.1 › jest-environment-jsdom@27.5.1 ›
jsdom@16.7.0 › nwsapi@2.2.0

We are already running latest version of react-scripts. Any remediations possible?

[michaelssavage]

Would adding the following to your package.json work?

"overrides": {
    "nth-check": "2.1.1"
  }

[getsalty]

Edit: the article Dan Abramov (dev) wrote about the vulnerabilities (TLDR: they don't think its an issue and won't fix it) https://overreacted.io/npm-audit-broken-by-design/

This has been discussed many, many times. The CRA devs don't care about vulnerabilities and won't do anything to fix it. If you care, stop using CRA. CRA is officially no longer a recommended project for creating React apps. Use something else.

If you want a close to 1-to-1 experience to CRA, then use Vite. This command can get you started:
npm create vite@latest my_project -- --template react-ts

If you want to go down the framework route, then use a suggestion from React's official docs: https://react.dev/learn/start-a-new-react-project

[giwiro]

Would adding the following to your package.json work?

"overrides": {
    "nth-check": "2.1.1"
  }

It did the trick for me. Thanks.

[burakd81]

Would adding the following to your package.json work?

"overrides": {
    "nth-check": "2.1.1"
  }

It did the trick for me. Thanks.

tenks its working <3

[arifsoer]

"overrides": {
"nth-check": "2.1.1"
}

this one doesn't work for me..
anyone has other suggestion?

[Gaurav-Sodhani]

"overrides": {
"nth-check": "2.1.1"
}

this one doesn't work for me.. anyone has other suggestion?

Make sure you run 'npm audit fix' in your terminal after adding this to package.json
Hope it works!

[CoderAWei]

Have you ever meet this question?
Affected versions of this package are vulnerable to Sandbox Bypass when ImportParserPlugin.js mishandles magic comments to allow cross-realm object access. An attacker who controls a property of an untrusted object can access the real global object.

[AlonNavon]

Hey @velsonjr @michaelssavage @arifsoer,

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an nth-check 1.02-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.