Security vulnerability of medium severity in react script module for inflight transitive dependency

[wesco-vishalprasad]

When i create a create react app i found a medium security vulnerability in inflight library https://www.npmjs.com/package/inflight?activeTab=versions, the details are below
Veracode Software Composition Analysis(SCA) scan screenshot

SRCCLR-SID-41137
Memory Leak: inflight is vulnerable to a Memory Leak. The vulnerability is due to lack of restriction
s on how many callbacks the library can concurrently support, which can result in a NodeJS out of heap memory crash.
We scanned using a licensed version of veracode tool
Inflight is no more maintained and react-script latest version 5.0.1 has this vulnerability
Please let us know if this can be fixed or any work around

[wesco-vishalprasad]

Any update on this?

[ammusiva]

I too required to fix this vulnerability

[diegoalbertopp]

Help me please

[avkamolov]

Any updates on this?

[wesco-anurajka]

Is anybody working on this?

[thecodeinfluencer]

Are you sure this comes from react-scripts? Check under Dependancy Graph section on the Veracode SCA scan.
For me it came from eslint package and react scripts had no issue. If for anyone else it is the eslint package then here's how I sorted it out:

https://dev.to/thecodeinfluencer/possible-fix-inflight-reported-as-a-vulnerability-in-react-project-veracode-sca-2b1h

[zhibirc]

npm ls inflight

Also, this explanation may be useful: #11174 (comment)

[famiclone]

https://github.com/facebook/create-react-app/blob/main/package-lock.json#L15116

[Netrunner-A]

Using v10 glob (10.4.2) will solve this as inflight is not used anymore, you can force this by adding "glob": "10.4.2" in your overrides in package.json.

Example:

"dependencies": {
    # ...
},
"overrides": {
    "glob": "10.4.2"
}

This change didn't cause issues in my application, and I don't think it will in yours, but you should test just in case.
Side-note: react-scripts is deprecated and should be avoided anyway for production.