React-Scripts dependencies with CVEs

[kevinfealey]

Is your proposal related to a problem?

Snyk reports vulnerabilities in react-scripts dependency tree:

✗ Medium severity vulnerability found in dot-prop

Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-DOTPROP-543489

Introduced through: react-scripts@3.3.1
From: react-scripts@3.3.1 > optimize-css-assets-webpack-plugin@5.0.3 > cssnano@4.1.10 > cssnano-preset-default@4.0.7 > postcss-merge-rules@4.0.3 > postcss-selector-parser@3.1.1 > dot-prop@4.2.0
From: react-scripts@3.3.1 > optimize-css-assets-webpack-plugin@5.0.3 > cssnano@4.1.10 > cssnano-preset-default@4.0.7 > postcss-minify-selectors@4.0.2 > postcss-selector-parser@3.1.1 > dot-prop@4.2.0
From: react-scripts@3.3.1 > optimize-css-assets-webpack-plugin@5.0.3 > cssnano@4.1.10 > cssnano-preset-default@4.0.7 > postcss-merge-longhand@4.0.11 > stylehacks@4.0.3 > postcss-selector-parser@3.1.1 > dot-prop@4.2.0
Fixed in: 5.1.1

✗ Medium severity vulnerability found in @hapi/hoek

Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-HAPIHOEK-548452

Introduced through: react-scripts@3.3.1
From: react-scripts@3.3.1 > workbox-webpack-plugin@4.3.1 > workbox-build@4.3.1 > @hapi/joi@15.1.1 > @hapi/hoek@8.5.0
From: react-scripts@3.3.1 > workbox-webpack-plugin@4.3.1 > workbox-build@4.3.1 > @hapi/joi@15.1.1 > @hapi/topo@3.1.6 > @hapi/hoek@8.5.0
Fixed in: 8.5.1, 9.0.3

Please note that although the above references react-scripts@3.3.1, v3.4.0 has not updated these dependencies and therefore has the same problem.

Describe the solution you'd like

Release a new version of react-scripts that updates to the latest versions of workbox-webpack-plugin and optimize-css-assets-webpack-plugin, which should resolve this issue.

Describe alternatives you've considered

None

Additional context

N/A

[krisgerhard]

I'll add some from react-scripts@3.4.1 (latest)

Description: Prototype Pollution
Info: https://app.snyk.io/vuln/SNYK-JS-YARGSPARSER-560381**

Introduced through: react-scripts@3.4.1 › webpack-dev-server@3.10.3 › yargs@12.0.5 › yargs-parser@11.1.1

[shmily40686]

+1 for yargs-parser

[MrMonsk]

yargs-parser has had breaking changes in its releases since 16.1.0: https://github.com/yargs/yargs-parser/releases

In the meantime, forcing resolution to an pre-breaking change release of yargs-parser seems to work

[thecaptain10]

any version of react-scripts package without this vulnerability?

[vikramdadwal]

any fix planned for yargs-parser ?

[ianschmitz]

Please file with webpack-dev-server about yargs-parser. There's nothing we can from our end to update their dependencies.

[priegger]

There is a webpack-dev-server issue: webpack/webpack-dev-server#2559

[mhassan1]

FYI: webpack/webpack-dev-server#2581 has been merged and yargs-parser@3.11.0 has been released with the fix.

I've opened a PR here to upgrade yargs-parser: #8975

[mhassan1]

When might we expect the next release of react-scripts?

[dillu24]

When might we expect the next release of react-scripts?

Hope that this is soon because a new high priority vulnerability has been raised now:

Denial of Service in the web-pack dependency

[matteofigus]

@ianschmitz @iansu do you know when the next release will happen? I think it would be nice if we could get security related changes published as soon as possible after being reviewed and merged.

I would love to help if I can. If there are specific tasks needed or technical blockers, I would be happy to be involved and pick up some work?

[sonikamah]

I am also getting this error for react-scripts > webpack-dev-server > yargs > yargs-parser, Is there any solution to it ? My website build is getting failed because of this error.

                  === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of react-scripts [dev]

Path react-scripts > webpack-dev-server > yargs > yargs-parser

More info https://npmjs.com/advisories/1500

found 1 low severity vulnerability in 1690 scanned packages
1 vulnerability requires manual review. See the full report for details.

[dillu24]

I am also getting this error for react-scripts > webpack-dev-server > yargs > yargs-parser, Is there any solution to it ? My website build is getting failed because of this error.

                  === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of react-scripts [dev]

Path react-scripts > webpack-dev-server > yargs > yargs-parser

More info https://npmjs.com/advisories/1500

found 1 low severity vulnerability in 1690 scanned packages
1 vulnerability requires manual review. See the full report for details.

Same here. I am tracking this issue here https://github.com/zw627/react-router-github-pages/issues/11

[shahrukhsiddiqui]

Getting this audit report is their any update on this ?
`
=== npm audit security report ===

                                           Manual Review

Some vulnerabilities require your attention to resolve

Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of react-scripts

Path react-scripts > webpack-dev-server > yargs > yargs-parse

More info https://npmjs.com/advisories/1500

found 1 low severity vulnerability in 1620 scanned packages
1 vulnerability requires manual review. See the full report for details.`

[AbhaysinghBhosale]

Getting the same issue mentioned above, is there any new version of react-script which will fix this issue.

Low             Prototype Pollution                                                                                                                   
Package         yargs-parser                                                                                                                        
Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2                                                                                           
Dependency of   react-scripts [dev]                                                                                                                            
Path            react-scripts > webpack-dev-server > yargs > yargs-parser                                                                                   
More info       https://nodesecurity.io/advisories/1500

[lausellduane]

I am having the same issue, any updates on this?

[shridharbhandiwad]

Same issue here.

Getting nearly 5000 low severity vulnerabilities with react-scripts 3.4.1.

found 4982 low severity vulnerabilities in 1641 scanned packages
4982 vulnerabilities require manual review. See the full report for details.

Attached is the vulnerability report.
vulnerability-report.txt

[EoghanBonass]

Same issue here.

Getting nearly 5000 low severity vulnerabilities with react-scripts 3.4.1.

found 4982 low severity vulnerabilities in 1641 scanned packages 4982 vulnerabilities require manual review. See the full report for details.

Most of these are not related to yargs-parser - they're from a new vulnerability raised by npm for lodash. This PR https://github.com/lodash/lodash/pull/4759 has already been merged to fix the issue, so npm will probably release a patch based on the PR.

[jacobwicks]

Same issue here.
Getting nearly 5000 low severity vulnerabilities with react-scripts 3.4.1.
found 4982 low severity vulnerabilities in 1641 scanned packages 4982 vulnerabilities require manual review. See the full report for details.

Most of these are not related to yargs-parser - they're from a new vulnerability raised by npm for lodash. This PR https://github.com/lodash/lodash/pull/4759 has already been merged to fix the issue, so npm will probably release a patch based on the PR.

Good to know, I just spent a while trying unsuccessfully to fix this.

[shridharbhandiwad]

Same issue here.
Getting nearly 5000 low severity vulnerabilities with react-scripts 3.4.1.
found 4982 low severity vulnerabilities in 1641 scanned packages 4982 vulnerabilities require manual review. See the full report for details.

Most of these are not related to yargs-parser - they're from a new vulnerability raised by npm for lodash. This PR https://github.com/lodash/lodash/pull/4759 has already been merged to fix the issue, so npm will probably release a patch based on the PR.

Thanks a lot for the update @EoghanBonass

[EoghanBonass]

No problem @shridharbhandiwad and @jacobwicks 🙂

The lodash PR was merged into what I assume is a release branch (lodash:4.17.15-post), so this needs to be fully released and then whitelisted by npm for the lodash vulnerability to be resolved.

[dimaqq]

re: workbox, would it makes sense to make it optional?
I feel that there was a time when Google pushed PWA and I think that was perhaps the impetus of adding it in, right?
But today, is it all that common to use web workers?

[iamjatinchauhan]

when other dependencies are updated the yargs-parser get rollback to its previous older versions.

on updating outdated packages, yargs-parser needs manual audit to update its new patch again.

[jimmyandrade]

cc @vigomesbr

[schontz]

1. When will this be fixed?
2. Does it actually matter? In other words, does any of the broken lodash or yargs code end up in the final build?

[gaearon]

There are no and have been no vulnerabilities here that would affect Create React App projects. These are all false positives because none of this code ends up in a build.

This is all, unfortunately, wasted effort.

[gaearon]

I’m going to close as there’s no real vulnerabilities and they’re all transitive. This means that if you are determined to spend time on false positives (for example, maybe your company adopted a policy that treats false positives from npm audit as real issues) then you need to file issues in the transitive dependencies. Once those are fixed you need to regenerate the lockfile. There is nothing actionable for Create React App here.