Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability with is-svg@^3.0.0 #10762

Closed
Juandkpa opened this issue Mar 29, 2021 · 11 comments
Closed

Security vulnerability with is-svg@^3.0.0 #10762

Juandkpa opened this issue Mar 29, 2021 · 11 comments

Comments

@Juandkpa
Copy link

Describe the bug

Dependabot alerts for a high severity vulnerability:

Dependabot cannot update is-svg to a non-vulnerable version
The latest possible version that can be installed is 3.0.0 because of the following conflicting dependency:

[email protected] requires is-svg@^3.0.0 via a transitive dependency on [email protected]
The earliest fixed version is 4.2.2.

CVE-2021-28092

Suggested dependabot remediation

Upgrade is-svg to version 4.2.2 or later. For example:

"dependencies": {
  "is-svg": ">=4.2.2"
}

or…

"devDependencies": {
  "is-svg": ">=4.2.2"
}
@AviVahl
Copy link

AviVahl commented Apr 6, 2021

Should be fixed now. New postcss-svgo patch release dropped is-svg.

@jiridanek
Copy link

jiridanek commented Apr 24, 2021

Should be fixed now. New postcss-svgo patch release dropped is-svg.

Thanks, I just did npm update postcss-svgo --depth=5 --dev

@cmacdonnacha
Copy link

cmacdonnacha commented Apr 26, 2021

Hey, any idea when this will be addressed or is there a workaround for now?

@nj314
Copy link

nj314 commented Apr 26, 2021

Hey, any idea when this will be addressed or is there a workaround for now?

@cmacdonnacha This was fixed by a bugfix release from postcss-svgo. Bugfix releases can be automatically picked up by your application without a corresponding release from react-scripts. You can either delete and rebuild your package-lock.json to pick it up, or as suggested by @jiridanek, run npm update postcss-svgo --depth=5 --dev.

@cmacdonnacha
Copy link

cmacdonnacha commented Apr 26, 2021

Excellent thanks @nj314. Will give that a go.

EDIT: This worked: npm update postcss-svgo --depth=5 --dev

@ziaulrehman40
Copy link

not sure why, but this npm update postcss-svgo --depth=5 --dev is not doing anything for me. 🤔

@cmacdonnacha
Copy link

A new vulnerability has been found on postcss too.

Remediation
Upgrade postcss to version 8.2.10 or later. For example:

"dependencies": {
  "postcss": ">=8.2.10"
}
or…
"devDependencies": {
  "postcss": ">=8.2.10"
}

@ziaulrehman40
Copy link

ziaulrehman40 commented May 24, 2021

react-scripts: 4.0.3 has "resolve-url-loader": "^3.1.2" dependency, which resolves to 3.1.3.
resolve-url-loader: 3.1.3 lists a dependency: "postcss": "7.0.21" which is a fixed version dependency, so I am unable to get rid of postcss security issue even if i add "postcss": ">=8.2.10" in my package.json.

Sounds like react-script needs some updates to fix all these vulnerabilities.

@stale
Copy link

stale bot commented Jun 26, 2021

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

@stale stale bot added the stale label Jun 26, 2021
@cmacdonnacha
Copy link

Still an issue.

@stale stale bot removed the stale label Jun 26, 2021
@gaearon
Copy link
Contributor

gaearon commented Jul 7, 2021

There is, and has not been, an actual vulnerability here.
See #11174.

@gaearon gaearon closed this as completed Jul 7, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 7, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

7 participants