Skip to content
GitLab
Open
Issue created by Administrator@rootContributor

update vulnerable dependencies

Created by: juliocarneiro

Describe the bug

Snyk acuse vulnerable dependencies in react-scripts

Did you try recovering your dependencies?

yes

Which terms did you search for in User Guide?

(Write your answer here if relevant.)

Environment

System: OS: Windows 10 10.0.19044 CPU: (4) x64 Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz Binaries: Node: 16.13.2 - C:\Program Files\nodejs\node.EXE Yarn: 1.22.17 - C:\Program Files\nodejs\yarn.CMD npm: 8.5.0 - C:\Program Files\nodejs\npm.CMD Browsers: Chrome: Not Found Edge: Spartan (44.19041.1266.0), Chromium (98.0.1108.50) Internet Explorer: 11.0.19041.1202 npmPackages: react: ^17.0.2 => 17.0.2 react-dom: ^17.0.2 => 17.0.2 react-scripts: 5.0.0 => 5.0.0 npmGlobalPackages: create-react-app: Not Found

Steps to reproduce

(Write your steps here:)

  1. Open cra project in vscode
  2. Install Snyk plugin
  3. Access snyk tab and play plugin

Expected behavior

There should be no vulnerabilities

Actual behavior

Regular Expression Denial of Service (ReDoS) Vulnerability | CVE-2021-3803 | CWE-1333 | CVSS 7.5 | SNYK-JS-NTHCHECK-1586032 Vulnerable module nth-check Introduced through react-scripts@5.0.0 Fixed in nth-check@2.0.1 Exploit maturity Not Defined Detailed paths Introduced through: react-chrome-extension@2.0.0 > react-scripts@5.0.0 > @svgr/webpack@5.5.0 > @svgr/plugin-svgo@5.5.0 > svgo@1.3.2 > css-select@2.1.0 > nth-check@1.0.2 Remediation: Upgrade nth-check to version 2.0.1 or higher. (@svgr/webpack@5.5.0 to @svgr/webpack@6.2.1)

Regular Expression Denial of Service (ReDoS) Vulnerability | CVE-2021-33587 | CWE-400 | CVSS 5.3 | SNYK-JS-CSSWHAT-1298035 Vulnerable module css-what Introduced through react-scripts@5.0.0 Fixed in css-what@5.0.1 Exploit maturity Not Defined Detailed paths Introduced through: react-chrome-extension@2.0.0 > react-scripts@5.0.0 > @svgr/webpack@5.5.0 > @svgr/plugin-svgo@5.5.0 > svgo@1.3.2 > css-select@2.1.0 > css-what@3.4.2 Remediation: Upgrade css-what to version 5.0.1 or higher. (@svgr/webpack@5.5.0 to @svgr/webpack@6.2.1)

Reproducible demo

https://github.com/juliocarneiro/react-chrome-extension

  1. Open project in vscode
  2. Install Snyk plugin
  3. Access snyk tab and play plugin