-
-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Vulnerabilities detected in the depedency packages requires an update #9815
Comments
As far as I can tell, there are no actual vulnerabilities here. If you link to reports I can confirm that. |
Hi Dan, Thank you for your quick reply. Unfortunatly I would not be able to share the full report. But below are the issues e issues stated in the report ajv@6.11.0 websocker-driver@0.6.5 |
Neither of these dependencies is used in the production builds, they're development-only. So they don't have any actual impact on the security of your application. We're cutting CRA 4.x soon so you can try switching to |
@gaearon -I am also getting Snyk security testing issue with can you please update the version of object-path@0.11.4. to object-path@0.11.5 inside react-scripts@3.4.3 or react-scripts@4.0.0-next.98. ? |
These are transitive dependencies, so they're not ours to update. You can file this with |
@gaearon -Can you please elaborate more on "You can file this with adjust-sourcemap-loader and ask them to cut a patch" |
If the "vulnerable" (and again, there's no actual vulnerability — you are chasing a ghost) package is |
FYI. It's already been filed: bholloway/adjust-sourcemap-loader#16 |
thats great.waiting for this to release |
False positives like this are arguably more dangerous. When we tell people to ignore reported vulnerabilities, actually dangerous vulnerabilities get ignored as well. That's not a bug of create-react-app, obviously, but something I wanted to react to nonetheless. |
@gaearon adjust-sourcemap-loader is upgraded to 3.0.0 with security fix seems.Can you please upgrade react-scripts ? |
This is not how npm works. We can’t “update” to some transitive dependency’s bump. What needs to happen here is a patch release (not a major!) for the affected dependency. Then things would sort themselves out automatically thanks to semver. |
And again, let’s not call this a “security fix” because there is no actual security problem in this case. |
I am not a security expert.but we are getting High Severity without react-scripts update we cannot move forward |
Snyk by default doesn't report on security issues in devDependencies to reduce the noise to signal ratio, just as @gaearon is saying - some times these vulnerabilities in devDependencies don't make a lot of sense since these aren't making it into production code. Good examples of these are security issues in packages like @nayaks2019 perhaps you can move those dependencies added by CRA to devDependencies? such as @nayaks2019 another thing to consider is that Snyk allows you to ignore vulnerabilities (I think other tools, maybe like npm audit but not sure, take a look at their docs). See Snyk CLI for ignore or the Snyk UI instructions. |
Sounds totally fine. I had no idea there is an actual semantic meaning to it from Snyk's perspective! |
Cool! I think this will really help a lot to bring the noise down for CRA for such issues being opened, at least for those using Snyk or making sure their tooling is ignoring devDeps by default as the snyk CLI does. |
Is |
Yes it is :-) Snyk is a security platform, CLI tool, and maintains its own vulnerability database at https://snyk.io/vuln?type=npm which has a broader coverage than npm. And so, when users get alerts in the form of the CLI tooling reports, or via a GitHub pull request this is all based on Snyk's own database. There is some overlap with npm and others since all of these tooling works by tracking the open and public database sets like NVD.
An out of the box CRA project which I just scaffolded provides the following security report from Snyk, indeed showin that there are many issues that don't have a direct upgrade, and can't be easily addressed by their maintainers: However, I applied the change I suggested to move the relevant packages into devDeps and a follow-up If someone really wanted to, they can issue a I'm happy to support where I can. Don't be shy to tag me in this or future issues if I can help. P.S. |
Thanks, this context is super helpful. |
I bumped just For the other issues, please move |
Hi, for one of our projects after upgrading react-scripts to the latest version (reacts-scripts@3.4.3), the Veracode static code analysis tool points out that few libraries are vulnerable to uninitialized buffer allocation attacks, prototype pollution,These libraries are given below
ajv@6.11.0 is vulnerable to prototype pollution. By upgrading this to a version >=6.12.4 this issue can be resolved
websocker-driver@0.6.5 is vulnerable to uninitialized buffer allocation attacks. By upgrading this to a version >=0.7.1 this issue can be resolved
Is there any plan to upgrade these packages to improve the security? If yes, could you please update by when these changes could be implemented. Any quick help/support you could provide on this would be much appreciated.
The text was updated successfully, but these errors were encountered: