Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit failure 81 vulnerabilities found #11053

Closed
krishnaTORQUE opened this issue Jun 3, 2021 · 9 comments
Closed

audit failure 81 vulnerabilities found #11053

krishnaTORQUE opened this issue Jun 3, 2021 · 9 comments
Labels
issue: bug report needs triage

Comments

@krishnaTORQUE
Copy link

Describe the bug

vulnerabilities found

Audit

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=8.2.10 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > resolve-url-loader > postcss │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1693
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ browserslist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.16.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > react-dev-utils > browserslist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1747
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=7.4.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > webpack-dev-server > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1748
└───────────────┴──────────────────────────────────────────────────────────────┘
81 vulnerabilities found - Packages audited: 2746
@indignant
Copy link

Some other tickets already filed for this: #10929 #10945 #11007 #11012

@krishnaTORQUE
Copy link
Author

so is there any fix coming soon or any pending PR for it?
If not then then I can make a PR to fix it.
Please do let me know

@indignant
Copy link

My understanding is there have been a couple of PRs submitted, some workarounds suggested, and some CRA team meetings on the subject; this is just what I was able to derive from the conversations in the existing tickets.

@xFrann
Copy link

xFrann commented Jun 4, 2021

Are those vulnerabilities a big deal for production?

@indignant
Copy link

indignant commented Jun 4, 2021
edited
Loading

@xFrann I don't think any of these are real vulnerabilities; they're tools to create the static bundle. It just breaks people's CI/CD flow when the flow runs npm audit.

@wmeints
Copy link

wmeints commented Jun 5, 2021

Still, it's kind of weird to leave a vulnerable package in your project. And 80 vulnerabilities is no fun at all. It sort of feels like they don't really care about security.

@toreylittlefield
Copy link

This is also a duplicate of #11012 I believe so I am watching the issue as well. Some useful comments in issues if you dig through it.

@murugavel-n
Copy link

I've an open PR #11036 to fix browserslist. Still waiting for review.

bexsoft pushed a commit to bexsoft/console that referenced this issue Jun 8, 2021
Updated dependencies for console.
0b80b3f 
There is one fix that needs to be applied once create-react-app delivers a new update. Please refer to facebook/create-react-app#11053
facebook/create-react-app#11053
@bexsoft bexsoft mentioned this issue Jun 8, 2021
Merged
bexsoft pushed a commit to bexsoft/console that referenced this issue Jun 8, 2021
Updated dependencies for console.
88cf2fa 
There is one fix that needs to be applied once create-react-app delivers a new update. Please refer to facebook/create-react-app#11053
facebook/create-react-app#11053
dvaldivia pushed a commit to minio/console that referenced this issue Jun 8, 2021
@bexsoft
Updated dependencies for console. (#800)
d5a3fee 
There is one fix that needs to be applied once create-react-app delivers a new update. Please refer to facebook/create-react-app#11053
facebook/create-react-app#11053

Co-authored-by: Benjamin Perez <benjamin@bexsoft.net>
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

See #11174.

@gaearon gaearon closed this as completed Jul 2, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 2, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@gaearon @wmeints @krishnaTORQUE @murugavel-n @toreylittlefield @xFrann @indignant