You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After the upgrade to react-scripts version 5 in #1577, we observed several vulnerabilities reported by npm audit. Specifically, the audit shows 29 vulnerabilities with 18 moderate and 11 high severity.
The goal of this ticket is to address and resolve the vulnerabilities, ideally by running npm audit fix. We will also document any unresolved vulnerabilities and create follow-up tickets for issues that require further attention.
Acceptance Criteria
All vulnerabilities are resolved, or documented with an explanation if not fixable.
Testing Checklist has been run and all tests pass
README is updated, if necessary
Tasks
Investigate and attempt to resolve vulnerabilities (timebox to 1 sprint)
Document unpatched vulnerabilities where possible
Create followup tickets for issues requiring more work
Run Testing Checklist and confirm all tests pass
Notes
List of vulnerabilities
# npm audit report
braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/jest-environment-enzyme/node_modules/braces
node_modules/sane/node_modules/braces
micromatch <=4.0.7
Depends on vulnerable versions of braces
node_modules/jest-environment-enzyme/node_modules/micromatch
node_modules/sane/node_modules/micromatch
@jest/transform <=24.9.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
node_modules/jest-environment-enzyme/node_modules/@jest/transform
@jest/environment <=24.9.0
Depends on vulnerable versions of @jest/fake-timers
Depends on vulnerable versions of @jest/transform
node_modules/jest-environment-enzyme/node_modules/@jest/environment
jest-environment-jsdom 10.0.2 - 25.5.0
Depends on vulnerable versions of @jest/environment
Depends on vulnerable versions of @jest/fake-timers
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of jsdom
node_modules/jest-environment-enzyme/node_modules/jest-environment-jsdom
jest-environment-enzyme *
Depends on vulnerable versions of jest-environment-jsdom
node_modules/jest-environment-enzyme
jest-enzyme >=5.0.0
Depends on vulnerable versions of jest-environment-enzyme
node_modules/jest-enzyme
anymatch 1.2.0 - 2.0.0
Depends on vulnerable versions of micromatch
node_modules/jest-environment-enzyme/node_modules/anymatch
node_modules/sane/node_modules/anymatch
jest-haste-map 18.1.0 - 26.6.2
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-environment-enzyme/node_modules/jest-haste-map
sane 1.5.0 - 4.1.0
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of micromatch
node_modules/sane
jest-message-util 18.5.0-alpha.7da3df39 - 24.9.0
Depends on vulnerable versions of micromatch
node_modules/jest-environment-enzyme/node_modules/jest-message-util
@jest/fake-timers <=24.9.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-environment-enzyme/node_modules/@jest/fake-timers
jest-util 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of @jest/fake-timers
node_modules/jest-environment-enzyme/node_modules/jest-util
cross-spawn <6.0.6 || >=7.0.0 <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
node_modules/sane/node_modules/cross-spawn
decode-uri-component <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/tsconfig-paths/node_modules/json5
loader-utils 2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix`
node_modules/loader-utils
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch
nanoid <3.3.8
Infinite loop in nanoid - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix`
node_modules/nanoid
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of resolve-url-loader
node_modules/react-scripts
path-to-regexp <0.1.12
Severity: moderate
Unpatched `path-to-regexp` ReDoS in 0.1.x - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
fix available via `npm audit fix`
node_modules/path-to-regexp
express 4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
Depends on vulnerable versions of path-to-regexp
node_modules/express
postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
Depends on vulnerable versions of postcss
node_modules/resolve-url-loader
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/request
jsdom 0.1.20 || 0.2.0 - 16.5.3
Depends on vulnerable versions of request
Depends on vulnerable versions of tough-cookie
node_modules/jest-environment-enzyme/node_modules/jsdom
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
semver >=7.0.0 <7.5.2 || <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install pa11y-ci@2.4.2, which is a breaking change
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/@typescript-eslint/typescript-estree/node_modules/semver
node_modules/core-js-compat/node_modules/semver
node_modules/jest-environment-enzyme/node_modules/normalize-package-data/node_modules/semver
node_modules/pa11y/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/sane/node_modules/semver
core-js-compat 3.6.0 - 3.25.0
Depends on vulnerable versions of semver
node_modules/core-js-compat
pa11y 6.0.0-alpha - 6.2.3
Depends on vulnerable versions of semver
node_modules/pa11y
pa11y-ci >=3.0.0
Depends on vulnerable versions of pa11y
node_modules/pa11y-ci
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/jest-environment-enzyme/node_modules/tough-cookie
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
ws 2.1.0 - 5.2.3
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/jest-environment-enzyme/node_modules/ws
29 vulnerabilities (18 moderate, 11 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
The text was updated successfully, but these errors were encountered:
lhuxraft
changed the title
Frontend dependency security vulnerabilities
Resolve vulnerabilities in frontend dependencies after React upgrade
Dec 12, 2024
Background
After the upgrade to
react-scripts
version 5 in #1577, we observed several vulnerabilities reported bynpm audit.
Specifically, the audit shows 29 vulnerabilities with 18 moderate and 11 high severity.The goal of this ticket is to address and resolve the vulnerabilities, ideally by running
npm audit fix
. We will also document any unresolved vulnerabilities and create follow-up tickets for issues that require further attention.Acceptance Criteria
Tasks
Notes
List of vulnerabilities
The text was updated successfully, but these errors were encountered: