Security vulnerability issues

[sindhurameduri]

Hello,
We are using React. we are getting the security and vulnerability issue with depend packages

1 ) we are trying to upgrade the ejs to 3.1.6 but the package under react-scripts not upgrading to 3.1.6. We upgraded the react-scripts to latest still ejs not upgrading to 3.1.6

Tree structure:
└─┬ react-scripts@4.0.3
└─┬ workbox-webpack-plugin@5.1.4
└─┬ workbox-build@5.1.4
└─┬ @surma/rollup-plugin-off-main-thread@1.4.2
└── ejs@2.7.4

2. we are trying to upgrade the color-string to 1.5.5 but the package under react-scripts not upgrading to 1.5.5. We upgraded the react-scripts and post-css-colormin and optimize-css-assets-webpack-plugin to latest still showing color-string 1.5.4.

Tree structure:
└─┬ react-scripts@4.0.3
└─┬ optimize-css-assets-webpack-plugin@5.0.4
└─┬ cssnano@4.1.11
└─┬ cssnano-preset-default@4.0.8
└─┬ postcss-colormin@4.0.3
└─┬ color@3.1.3
└── color-string@1.5.4

3. we are trying to upgrade the css-what to 5.0.1 but the package under react-scripts and postcss-svgo not upgrading to 5.0.1.
   We upgraded the react-scripts and postcss-svgo and svgo to latest but still css-what not upgrading to 5.0.1.

Tree structure:
┬ react-scripts@4.0.3
└─┬ @svgr/webpack@5.5.0
└─┬ @svgr/plugin-svgo@5.5.0
└─┬ svgo@1.3.2
└─┬ css-select@2.1.0
└── css-what@3.4.2

postcss-svgo@4.0.3
└─┬ svgo@1.3.2
└─┬ css-select@2.1.0
└── css-what@3.4.2

4. we are trying to upgrade the normalize-url to 4.5.1 but the package under react-scripts and optimize-css-assets-webpack-plugin not upgrading to 4.5.1 .
   We upgraded the react-scripts and optimize-css-assets-webpack-plugin and mini-css-extract-plugin to latest but still normalize issue not fixed.

Tree structure:
react-scripts@4.0.3
├─┬ mini-css-extract-plugin@0.11.3
│ └── normalize-url@1.9.1

─┬ react-scripts@4.0.3
├─┬ mini-css-extract-plugin@0.11.3
│ └── normalize-url@1.9.1
└─┬ optimize-css-assets-webpack-plugin@5.0.4
└─┬ cssnano@4.1.11
└─┬ cssnano-preset-default@4.0.8
└─┬ postcss-normalize-url@4.0.1
└── normalize-url@3.3.0

5) we are trying to upgrade the glob-parent to 5.1.2 but the package under react-scripts and webpack not upgrading to 5.1.2 . We upgraded the react-scripts and webpack to latest version but still glob-parent not upgrading to latest.

└─┬ react-scripts@4.0.3
├─┬ webpack-dev-server@3.11.1
│ └─┬ chokidar@2.1.8
│ └── glob-parent@3.1.0
└─┬ webpack@4.44.2
└─┬ watchpack@1.7.5
├─┬ chokidar@3.5.1
│ └── glob-parent@5.1.2 deduped
└─┬ watchpack-chokidar2@2.0.1
└─┬ chokidar@2.1.8
└── glob-parent@3.1.0

The Expected behaviour is to upgrade the Package versions under the react-scripts

[michealmueller]

have you perhaps solved this issue and managed to get them updated as me and my team are facing the same issues?

[sindhurameduri]

not yet solved, unable to get them updated

[croraf]

Can this be closed in favor of: #11012 ?

[gaearon]

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

[gaearon]

Please see #11174.