Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Issues with nth-check in react-scripts Dependencies #13364

Open
niryaf opened this issue Sep 14, 2023 · 2 comments
Open

Vulnerability Issues with nth-check in react-scripts Dependencies #13364

niryaf opened this issue Sep 14, 2023 · 2 comments
Labels
issue: bug report needs triage

Comments

@niryaf
Copy link

niryaf commented Sep 14, 2023

Environment:

  • Operating System: Windows 11
  • IDE: Visual Studio Code
  • Node.js version: v18.17.1
  • npm version: 10.1.0

Description:
I am encountering a persistent vulnerability issue with react-scripts related to the nth-check package. Despite making multiple attempts to update the dependencies manually and exploring various resolutions, the vulnerability warning remains.

NPM Audit Output:
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@2.1.3, which is a breaking change
node_modules/react-scripts/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/react-scripts/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/react-scripts/node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/react-scripts/node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/react-scripts/node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts

Steps to Reproduce:

  1. Updated to the latest version of react-scripts.
  2. Ran npm audit, revealing the vulnerability issue related to nth-check.
  3. Attempted to manually update dependencies and force resolutions.
  4. Checked again with npm audit, but the vulnerability warning persisted.

Expected Behavior:
The dependencies, especially nth-check, should be up-to-date, ensuring no vulnerabilities when executing npm audit.

Additional Context:
I made attempts to resolve this by updating individual packages and also using the npm-force-resolutions package. Unfortunately, the vulnerability continues to persist.

Seeking guidance or a potential fix for this vulnerability. Thank you for your assistance!
@OlivierMartineau
Copy link

OlivierMartineau commented Sep 22, 2023
edited

See this comment, it's important.
#13062 (comment)

If you consider migrating, check this article:
https://cathalmacdonnacha.com/migrating-from-create-react-app-cra-to-vite

If you really need to fix this warning, you can declare in your dependencies

"dependencies": {
    "nth-check": "^2.1.1"
}

and at the end of your package.json

"overrides": {
    "nth-check": "$nth-check"
}

@yarons yarons mentioned this issue Nov 1, 2023
Closed
@jerry2013 jerry2013 mentioned this issue Jan 16, 2024
Merged
@palyvodaBoi
Copy link

It doesn't work for me :(
Seems like it's time to migrate to Vite

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@palyvodaBoi @niryaf @OlivierMartineau