react is vulnerable

[RDIL]

here are vulnerabilities (credit to snyk.io):

Denial of Service (DoS)

Vulnerable module: mem
Introduced through: react-scripts@1.1.5

Detailed paths and remediation

Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › webpack@3.8.1 › yargs@8.0.2 › os-locale@2.1.0 › mem@1.1.0
Remediation: No remediation path available. 

Overview

mem is an optimization technique used to speed up consecutive function calls by caching the result of calls with identical input.

Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. Old results are not deleted from the cache and could cause a memory leak.
More about this issue
medium severity
Regular Expression Denial of Service (ReDoS)

Vulnerable module: content-type-parser
Introduced through: react-scripts@1.1.5

Detailed paths and remediation

Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-runtime@20.0.4 › jest-config@20.0.4 › jest-environment-jsdom@20.0.3 › jsdom@9.12.0 › content-type-parser@1.0.2
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-config@20.0.4 › jest-environment-jsdom@20.0.3 › jsdom@9.12.0 › content-type-parser@1.0.2
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-environment-jsdom@20.0.3 › jsdom@9.12.0 › content-type-parser@1.0.2
Remediation: No remediation path available. 

Overview

content-type-parser parses the Content-Type header field into an introspectable data structure.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the user agent parser. It used a regular expression (/^(.?)/(.?)([\t ];.)?$/) in order to parse user agents. This can cause a very moderate impact of about 4 seconds matching time for data 30k characters long.
More about this issue
medium severity
Time of Check Time of Use (TOCTOU)

Vulnerable module: chownr
Introduced through: react-scripts@1.1.5

Detailed paths and remediation

Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › webpack@3.8.1 › watchpack@1.6.0 › chokidar@2.0.4 › fsevents@1.2.4 › node-pre-gyp@0.10.3 › tar@4.4.6 › chownr@1.1.1
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › webpack-dev-server@2.11.3 › chokidar@2.0.4 › fsevents@1.2.4 › node-pre-gyp@0.10.3 › tar@4.4.6 › chownr@1.1.1
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › fsevents@1.2.4 › node-pre-gyp@0.10.3 › tar@4.4.6 › chownr@1.1.1
Remediation: No remediation path available. 

Overview

Affected versions of chownr are vulnerable to Time of Check Time of Use (TOCTOU). It does not dereference symbolic links and changes the owner of the link.
More about this issue
low severity
Regular Expression Denial of Service (ReDoS)

Vulnerable module: eslint
Introduced through: react-scripts@1.1.5

Detailed paths and remediation

Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › eslint@4.10.0
Remediation: No remediation path available. 

Overview

eslint is an AST-based pattern checker for JavaScript.

Affected versions of the package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This can cause an impact of about 10 seconds matching time for data 100k characters long.
More about this issue
low severity
Regular Expression Denial of Service (ReDoS)

Vulnerable module: braces
Introduced through: react-scripts@1.1.5

Detailed paths and remediation

Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-runtime@20.0.4 › jest-config@20.0.4 › jest-jasmine2@20.0.4 › jest-snapshot@20.0.3 › jest-util@20.0.3 › jest-message-util@20.0.3 › micromatch@2.3.11 › braces@1.8.5
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-runtime@20.0.4 › jest-config@20.0.4 › jest-jasmine2@20.0.4 › jest-matchers@20.0.3 › jest-message-util@20.0.3 › micromatch@2.3.11 › braces@1.8.5
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-runtime@20.0.4 › jest-config@20.0.4 › jest-environment-jsdom@20.0.3 › jest-util@20.0.3 › jest-message-util@20.0.3 › micromatch@2.3.11 › braces@1.8.5
Remediation: No remediation path available.

…and 25 more
Overview

braces is a Bash-like brace expansion, implemented in JavaScript.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.

[gaearon]

It's a development dependency in all of the above cases.
There is no attack vector here — you can safely consider this a false positive and ignore it.

[RDIL]

ok thanks