Security Vulnerability in React-Scripts Dependencies

[shmoeaz]

The latest OWASP scans and NPM audits are identifying a security vulnerability in the Json5 <= v2.2.1 package which is used by the @babel/core v7.16.0.
@babel/core v7.21.8 has update its dependency to Json5 v2.2.2 which contains a patch.

Is there any chance react-scripts can be updated to use the newer babel/core?

Since react-scripts is added as an application dependency and not a devDependency, it is picked up by the scans and thus it would be nice if we can update it to clean up the scan results.

[shmoeaz]

I have figured out how to use "overrides" within the package.json
"overrides": { "json5@>2.0.0": "^2.2.3", "json5@<1.0.2": "^1.0.2", },
This resolved the issue of the react-scripts using out-dated dependencies.
However, it would still be nice if CRA can at least stay up to date with its dependency.
Anyways... thanks for writing a useful tool.