Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency Packages introduced vulnerabilities associated with react-scripts 5.0.1 #13564

Open
BijoyMogorBetsol opened this issue Apr 16, 2024 · 2 comments
Open

Dependency Packages introduced vulnerabilities associated with react-scripts 5.0.1 #13564

BijoyMogorBetsol opened this issue Apr 16, 2024 · 2 comments
Labels
issue: bug report needs triage

Comments

@BijoyMogorBetsol
Copy link

nth-check 1.0.2 JavaScript (Yarn)

Incorrect Comparison
Description
nth-check is vulnerable to Inefficient Regular Expression Complexity
Severity:
High
Tool: Dependency Scanning
Scanner: Gemnasium

Links
https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0
https://nvd.nist.gov/vuln/detail/CVE-2021-3803
Identifiers
CVE-2021-3803
Gemnasium-3284fc8f-f377-4fcf-95dd-270a8b922329

Solution

Upgrade to version 2.0.1 or above.

express 4.18.2 JavaScript (Yarn)

Express.js Open Redirect in malformed URLs
Description

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.
The main method impacted is res.location() but this is also called from within res.redirect().

Severity:
Medium

Identifiers
CWE-1035
CWE-937

webpack-dev-middleware 5.3.3 JavaScript (Yarn)

Path traversal in webpack-dev-middleware
Description

The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine.

Severity:
High

Identifiers
CWE-22
CWE-1035
CWE-937

postcss 7.0.39 JavaScript (Yarn)

PostCSS line return parsing error
Description

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

Severity:
Medium
Identifiers
Gemnasium-7a2fe254-d605-4097-a4e3-7eafeb60045e
CVE-2023-44270
@Red0Hood
Copy link

Edit your package.json
in the end add this

  "devDependencies": {
    "@babel/plugin-proposal-private-property-in-object": "^7.21.11",
    "@babel/plugin-transform-private-property-in-object": "^7.24.5"
  },
  "overrides": {
    "react-scripts": {
      "@svgr/webpack": "8.1.0",
      "typescript": "5.0.2",
      "postcss":"8.4.38"
    }
  }

edit "react-scripts": "^5.0.1",

  "dependencies": {
    "@testing-library/jest-dom": "^5.17.0",
    "@testing-library/react": "^13.4.0",
    "@testing-library/user-event": "^13.5.0",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
    "react-scripts": "^5.0.1",
    "styled-components": "^6.1.11",
    "web-vitals": "^2.1.4"
  },

in your terminal sync your package by
npm install
check for vulnerabilities
npm audit
Hope it help i think npm is like yarn

readysetagile added a commit to FCCColumbus/cbus-web that referenced this issue Jul 12, 2024
@readysetagile
Upgrade to React 18 latest LTS
67901c9 
- Installed node 20.10.0 LTS
 - Installed React 18.3.1 (April 2024)
 - resolved vulnerabilities from recommendations [here](facebook/create-react-app#13564 (comment))
 - installed cross-env package.  This will allow the `GENERATE_SOURCEMAP environment` variable to be set on build for all environments.  `GENERATE_SOURCEMAP=false` will not create the ts (TypeScript) map files at runtime
 - resolved 1 linting warning in `links.js`
@HiickFG
Copy link

HiickFG commented Jan 7, 2025

I made this PR: #13778

It's focused on resolving the moderate/high vulnerabilities introduced by react-scripts for outdated dependencies that then point to outdated nth-check and postcss packages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Red0Hood @HiickFG @BijoyMogorBetsol