nth-check <2.0.1 Severity: high && json5 <2.2.2 Severity: high

[alk-m90387]

json5 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/tsconfig-paths/node_modules/json5
tsconfig-paths 3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
Depends on vulnerable versions of json5
node_modules/tsconfig-paths
eslint-plugin-import >=2.24.2
Depends on vulnerable versions of tsconfig-paths
node_modules/eslint-plugin-import
eslint-config-react-app >=7.0.0-next.75
Depends on vulnerable versions of eslint-plugin-import
node_modules/eslint-config-react-app
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of eslint-config-react-app
node_modules/react-scripts

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@4.0.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of eslint-config-react-app

[hoffmannjan]

Any updates? When we can expect new release?

[Lelith]

Just writing to also confirm, that react-scripts v 5.0.1 prevents us from fixing the criticial security issue coming from JSON5 < v2.2.2 (see https://github.com/json5/json5/blob/main/CHANGELOG.md#v222-code-diff)

[sergei-lobanov]

Who can triage it/update and release a hotfix?

[Nbestwl]

Does anyone have a workaround for this issue?

[alk-m90387]

Hi, I have upgraded the version of nth-check and json5 in my package.lock.json manually. It is not the permanent solution. I would like to request to CRA to release a security patch regarding. react-scripts v5.0.1 depends on the lower version. Thanks & Regards, Aloke Basak From: Lei Wang ***@***.***> Sent: Tuesday, 10 January 2023 00:28 To: facebook/create-react-app ***@***.***> Cc: Aloke Basak ***@***.***>; Author ***@***.***> Subject: [EXT] Re: [facebook/create-react-app] nth-check <2.0.1 Severity: high && json5 <2.2.2 Severity: high (Issue #12936) EXTERNAL<https://external.tdc.dk/> Does anyone have a workaround for this issue? - Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/facebook/create-react-app/issues/12936*issuecomment-1376132015__;Iw!!GNpmbAs!EtHlVh9qW8cEKWJnP6YnpC4LZAQ0ZiI2TFIfceUO_Uz57kB8AXfGuAt_LIMqBHsl-1EFAfuK6qAZPPbVBJKWEl0$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AQ26ATAYOGGSRSO36J2USSDWRRNTLANCNFSM6AAAAAATL5G7CI__;!!GNpmbAs!EtHlVh9qW8cEKWJnP6YnpC4LZAQ0ZiI2TFIfceUO_Uz57kB8AXfGuAt_LIMqBHsl-1EFAfuK6qAZPPbVKZYNJpY$>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[yefei0423]

Is there any updates for this issue?

[CodyWalraven]

Checking for any updates to this as well. Still unable to resolve the vulnerability until this is updated.

[WilliamPriorielloGarda]

see #11174

[mark-wiemer]

Yes, #11174 clarifies that this is a non-issue. react-scripts should be a dev dependency and npm audit should be run with --omit=dev (the replacement to --production). Thanks for the link, @WilliamPriorielloGarda

This "security vulnerability" will not affect end-users as react-scripts isn't actually used in apps created by CRA by default. Unless you're somehow referencing react-scripts from your production app, you're fine.

[martinhrvn]

Yes, #11174 clarifies that this is a non-issue. react-scripts should be a dev dependency and npm audit should be run with --omit=dev (the replacement to --production). Thanks for the link, @WilliamPriorielloGarda

This "security vulnerability" will not affect end-users as react-scripts isn't actually used in apps created by CRA by default. Unless you're somehow referencing react-scripts from your production app, you're fine.

I don't quite agree that audit should be run for production packages only. If I were an attacker I would hide some malicious code into something like webpack plugin.

In this case it doesn't seem to be an issue. But if I create new CRA the react scripts are not devDependencies

[vaughngit]

some reason I kept running npm audit --omit-dev and still received error outputs (note I was using dash instead of the assignment). Dropping this note for others like me: :) The correct command is:

npm audit --omit=dev
npm audit --omit dev works as well and is easier to read in my opinion :)