Postcss dependency of react-scripts needs an upgrade #10945
Comments
|
I'm also deep into trying to fix this and haven't yet found the resolution. PostCSS refuses to release a security fix (postcss/postcss#1574), including declining to merge a PR to fix the security issue. Trying to force a resolution gets me build errors. |
|
This is not a recommendation, just saying how I'm working around this. I forked the repository, applied the fix to the v7 branch, and created a release called v8.3.0 (from the v7 branch.. ugh) to get around the audit fix. This is not verified, and not "safe", but because yarn audit doesn't have a way to ignore advisories I needed this as a way to get back to a green build. Here is the release I created https://github.com/hammerdr/postcss/releases/tag/8.3.0 I then did
Will continue to watch this thread in case better solutions arise. |
|
Thank you for your quick response and for your work hammerdr. I’ll take a look. Cheers! |
|
I'm having the same issue. Upgrading or audit fix doesn't work. |
|
I m having the same issue. But workaround from hammerdr works. Any idea when they will be fixing the issue |
|
Have same issue. Waiting for fix. |
|
Same here. |
|
Adding postcss to resolutions does not fix the issue either. Can't even compile by doing this. 😶 |
|
Same here.👆 |
|
Same here ;o |
|
same here |
Some remain but cannot right now be fixed; see
facebook/create-react-app#10945
According to a comment by the author at
postcss/postcss@8682b1e#commitcomment-49809613
the vulnerability only affects server-side parsing of CSS, so should
not present a problem for us. Nonetheless, will check back in a week
to see whether there's been any progress.
|
my temporary solution to this is to explicitly set the Note: This does not really solve the root cause of the issue! It's simply to keep my CI/CD (Jenkins) happy until there is a proper fix to this! |
|
hmm, I will also offer my "temporary" solution for my CI/CD.
What we have, audit for all packages using in production build with default audit level and working CI/CD. I really hope that soon the CRA team will find solutions for migrating the postcss library. |
|
For anyone else that wants to patch this just for audit issues, see package Unfortunately it doesn't seem fully compatible with npm 7 yet: IBM/audit-ci#165 |
|
Also waiting for a fix on this. Thanks! |
This comment has been minimized.
This comment has been minimized.
|
Same issue here |
1 similar comment
|
Same issue here |
|
I solved the problem temporarily with this library https://www.npmjs.com/package/npm-force-resolutions Maybe isn't the best solution, I would like what do you think about it |
|
@rakestto I have already tried the force resolutions solution. However, I was unable to run |
|
With respect to At least one user was successful with Adopting |
No, when I do a push my cypress tests fail on the GA. In my local machine it works perfect but in GA this solution make my tests fails. |
|
I suggest doing a fresh npm install (including deleting your node_modules
first) on your local machine, then you will most likely get the same test
errors in your local environment as well...
…On Thu, 20 May 2021 at 14:52, Jose Fernando García Parreño < ***@***.***> wrote:
@rakestto <https://github.com/rakestto> I have already tried the force
resolutions solution. However, I was unable to run npm build successfully
after forcing the 8.2.10 dependency. Were you able to successfully build
the project wit this? If so, how?
No, when I do a push my cypress tests fail on the GA. In my local machine
it works perfect but with this solution tests fails.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#10945 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABTWXORYCH7B4MVHAE5BDM3TOUAZDANCNFSM44SDC7XA>
.
|
I've some libraries that uses react-scripts too and have the same vulnerabilities and I solved it with the npm-force-resolutions too. If I delete node_modules and package.json in my main app (which uses the libraries) and run npm install, the console throw me an error saying that it can't install the library. I don't know if I need to put the npm-force-resolution in the peerDeps key in the library and put it in the dependencies key in the main app. However, I've tried a lot of ways in order to solve it and I couldn't. I think that the best option is keep waiting to an update for react-scripts. |
|
@rakestto you shouldn't delete your package.json, because you will not be able to run any scripts that way. If you want, you can delete your package-lock.json, but then you will need to remove "preinstall": "npx npm-force-resolutions" from your package.json file, otherwise you will not be able to run |
Sorry I wanted to say package-lock, thank you :) I'll try it |
|
same issue |
|
Same issue here, waiting for fix. Thanks! |
|
Anyone can confirm that upgrading node to version 16 can fix this? I was having the same problem and after i've upgraded the node version of the CI to 16, this npm audit warning stopped showing.
|
|
^ doesn't really work if you have npm-force-resolutions |
|
In lieu of acknowledgement on this issue from the team & seeing the growing list of folks interested in this issue, I did find it's on the maintainers' radar: iansu/create-react-app-meta#56 Not sure what the timing of the fix is. Also, more discussion under #9664. |
|
Same issue with mine. npm-force-resolution is causing problems with npm run build. Hoping for a fix. |
|
I am also facing this issue. |
|
my current temporary solution for this is to move create-react-app to devDependencies like this: and then make sure my CI jobs run hope this helps! |
|
yes, I also switched to |
|
Similarly: |
|
Really wishing that FB updates to postcss version 8, but there's now a backport to v7: postcss/postcss#1574 (comment) So can we expect an update soon? |
|
I used this from tailwind and it worked for me; |
|
Update from a maintainer: #9664 (comment) PR #11121 just got merged. Sounds like the fix will be in 4.1, & should be soon. |
|
Hopefully we get the next release soon.. its been 4 months since the last release guys :( Vite js has been moving much faster |
|
@robertwt7 yeah I prefer vite to CRA for new projects. CRA seems so dead 😅 |
|
Thanks for the tips about Vite! I've been looking for a CRA replacement due to the support experience. |
|
Vite is still very new, not sure I'd be using it in production apps for another while. It also treats Vue as a first class citizen. |
|
Waiting for the 4.1 |
|
These warnings are false positives. There are no actual vulnerabilities affecting your app here. To fix That will remove the false positive warnings. I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings. If you want to discuss this, please comment in #11102. |
and others
Hi team
My build is not passing because I'm using npm audit to detect vulnerabilities. Npm audit detected a vulnerability with postcss which is a dependency of react-scripts. https://www.npmjs.com/advisories/1693
I tried to update the dependency with npm install postcss but it didn't work.
What can I do?
Example of a vulnerability:
The text was updated successfully, but these errors were encountered: