Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm audit failure (high) due to "css-what" #11067

Closed
rprakash05 opened this issue Jun 8, 2021 · 7 comments
Closed

npm audit failure (high) due to "css-what" #11067

rprakash05 opened this issue Jun 8, 2021 · 7 comments

Comments

@rprakash05
Copy link

Describe the bug

npm audit currently fails on react-scripts@4.0.3 due to a high security vulnerability in css-what. The dependency paths are as follows.

  1. react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > css-select > css-what .
  2. react-scripts > optimize-css-assets-webpack-plugin > cssnano > cssnano-preset-default > postcss-svgo > svgo > css-select > css-what
  3. react-scripts > html-webpack-plugin > pretty-error > renderkid > css-select > css-what
    The respective npm advisory is at https://www.npmjs.com/advisories/1745.

Steps to reproduce

  1. Run npm audit on react-scripts@4.0.3
  2. Try to run npm audit fix
  3. Confirm that the fix was not auto resolved.

Expected behavior

npm audit can exit successfuly.

Actual behavior

npm audit fails

@emiwidknowit
Copy link

Would be great to get this prioritized 👍

@Raynesz
Copy link

Raynesz commented Jun 8, 2021

So i am new to web development and using react. I recently realised that there are a lot of vulnerable packages in react-scripts. those dont seem to be fixable with "npm audit fix" and require a manual review. I searched around and there doesn't seem to a proper fix so far. Do we just have to wait for a new CRA version?

@stahlmanDesign
Copy link

So i am new to web development and using react. I recently realised that there are a lot of vulnerable packages in react-scripts. those dont seem to be fixable with "npm audit fix" and require a manual review. I searched around and there doesn't seem to a proper fix so far. Do we just have to wait for a new CRA version?

This same scenario happened a few weeks ago with the lib dns-packet. What usually happens is that a dependency of a dependency is fixed so that npm audit fix will apply the patch without react-scripts being updated. Hopefully in a few days. If your build tools prevent building with high vulnerabilities, you might have to allow bypass.

@stahlmanDesign
Copy link

Duplicate #11081

@Primajin
Copy link
Contributor

Another one is #11012

@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

@gaearon gaearon closed this as completed Jul 2, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 2, 2021
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

Please see #11174.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

6 participants