Vulnerabilities...

[dogukan33]

Hello, I am currently receiving warnings about a chain of dependencies leading to a package (nth-check) with a known high-severity vulnerability. (See attached.) What should I do? Note: npm audit fix --force does not resolve the issue.

[dogukan33]

After using 'npm audit fix --force', the number of vulnerabilities increased from 6 to 53.

[baturkey]

In your package-lock.json under "node_modules/react-scripts"
Update the version of "@svgr/webpack" from 5.5.0 to the latest version (8.1.0 as I write this)
https://www.npmjs.com/package/@svgr/webpack

Then run npm install

[TShaunik]

@baturkey there's a better way to override . With this method, you don't have to keep updating the package-lock manually. This object would be at the root of package.json

"overrides": {
    "react-scripts": {
      "@svgr/webpack": "8.1.0",
      "typescript": "5.0.2"
    }
  }

This tells it to override those dependencies with the specified versions when they're a child of react-scripts. I also had to override the typescript version for my upgrade, so I included that as well.

[baturkey]

TIL, thanks @TShaunik !

[SubJunk]

This vulnerability has been around for about 10 months, is this project abandoned?

[TShaunik]

I feel like it is. Not a single version (not even a patch) has been released in 16 months. Looking at ejecting my React app from CRA to get free of react-scripts which is causing so many issues with my security updates.

[SubJunk]

Yeah 453 open pull requests isn't a good sign, weird though for Facebook, maybe that team got downsized?

[dogukan33]

Thank you all for your responses! I've resolved the issue following @TShaunik's 'override' approach.

[dave9123]

In your package-lock.json under "node_modules/react-scripts"
Update the version of "@svgr/webpack" from 5.5.0 to the latest version (8.1.0 as I write this)
https://www.npmjs.com/package/@svgr/webpack

Then run npm install

Trying to have something work directly to the script

[stormmuller]

This is still an issue. Overriding @svgr/webpack to several major versions above what is specified in CRA is not a proper solution. Why was this closed?

[ziaulrehman40]

Does this manual override to several versions newer break anything? I guess it will, esp in projects with overrides etc. So its not a proper solution.

[TShaunik]

@ziaulrehman40 It's a solution to address the reality that they've not released anything since April 12, 2022.

We're going through an SOC 2 audit and I had 3 options:

1. Mark it as we're not going to resolve a high security alert and then try to pass the audit ignoring an item that must be resolved in 30 days
2. Eject react-scripts and take on managing the configs for webpack, and many other plugins ourselves and not be able to re-use react-scripts to handle that if they were to ever release a new version. Difficult to do as we're a tiny team and I'm the only one who has the prior knowledge to pick up figuring all that that would entail.
3. Override and test to see if things are broken

If we were to fail the audit, and we wouldn't know for 3 months (the observation window), we'd lose customers so the first option was ruled out immediately. The 2nd was considered, but I couldn't afford to be derailed to tackle the consequences of ejecting react-scripts, so I had to go with the third. We have seen no issues in our app and will deal with it if we do encounter something at some point.