npm audit vulnerability : react-scripts > webpack-dev-server > yargs > yargs-parser

[sonikamah]

while running npm audit , I am getting the below error for 'react-scripts' (1 low vulnerability ),
could you please help me ?

• Below I have added my package.json.

• Error is for : "react-scripts > webpack-dev-server > yargs > yargs-parser"

npm audit

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of react-scripts

Path react-scripts > webpack-dev-server > yargs > yargs-parser

More info https://npmjs.com/advisories/1500

---

package.json -> dependencies

"dependencies": {
"react": "^16.12.0",
"react-dom": "^16.12.0",
"react-router-dom": "^5.1.2",
"react-scripts": "3.4.0",
"reactstrap": "^8.4.1"
},

[dillu24]

Any updates on how much time this will take?

[sonikamah]

Any updates on how much time this will take?

not yet ... any other alternative solution do you have, as build is getting failed ?

[mohrash92]

I have usually fixed this issue by deleting the package-lock.json or yarn.lock and then running npm install or yarn (depending on which one you use).

[sonikamah]

I have usually fixed this issue by deleting the package-lock.json or yarn.lock and then running npm install or yarn (depending on which one you use).

Thanks for your input. have tried deleting package.json but no luck.

[scailbc]

It should be enough to update webpack-dev-server to the latest version 3.11.0 in react-scripts.
This is already done in master branch, so we just need a new release of react-scripts

[dillu24]

It should be enough to update webpack-dev-server to the latest version 3.11.0 in react-scripts.
This is already done in master branch, so we just need a new release of react-scripts

Hope it is soon.

[sonikamah]

It should be enough to update webpack-dev-server to the latest version 3.11.0 in react-scripts.
This is already done in master branch, so we just need a new release of react-scripts

Hope it is soon.

any luck ?

[damien-git]

See also: #8529, #8970, #8975.

[tatebosler]

This appears to be happening even when "react-scripts": "^3.4.0" or "react-scripts: "3.4.1" is used. On version 3.4.1, npm ls gives the following output:

└─┬ react-scripts@3.4.1
 [ snipped for brevity ]
  ├─┬ webpack-dev-server@3.10.3

Looks like the package.json file on npm needs an update or something, as it's already been addressed here: https://github.com/facebook/create-react-app/blob/master/packages/react-scripts/package.json#L82

[dillu24]

Anyone managed to solved this?

[tonix-tuft]

Any news about the update? Is a newer version of react-scripts > 3.4.1 fixing this warning going to be released soon? Thanks!

[jamespagedev]

Also confirming I am seeing this issue. I ran into it when I had to do a npm install to read my created .env file. After the npm install, react-scripts": "3.3.1" wasn't loading with npm start. After reading here: https://stackoverflow.com/questions/60234640/typeerror-err-invalid-arg-type-the-path-argument-must-be-of-type-string-re

Upgrading the version made it work again, but this makes me and my team uneasy.

And now I'm seeing this same issue as the op... I love react, but please don't let it become unstable or it will be a hard sell to my team. I'm also hoping to get the next update to make the warning go away.

[eMarek]

Almost month around when this was fixed in dependent webpack-dev-server package (https://github.com/webpack/webpack-dev-server/releases/tag/v3.11.0) and still no one has taken 5 minutes to bump the version of it in CRA? Looks like there is not enough pissed off dev-ops around the globe who are angry at failing pipelines because of npm audit or yarn audit. :D

[valoricDe]

Hi @iansu do you want to take credit for closing 4 issues in create-react-app?
You would have to release master for this. Or are there any blockers?
It would help us a lot. And if you will ever be in Berlin I invite you to a beer ;) Deal?

[scottjason]

Hi there,

Wondering if anyone knows the plan around resolving this issue?

[mohsenari]

The commit is merged to master to fix this issue but there hasn't been a new release since March 20, 2020. Is anyone able to give a time frame for when a new release will be out?

[jaredgisin]

This issue has a lot of complaints and is a problem for a lot of people who depend on this package. it blocks our application from being deployed to our production systems. The fix is known and has been made a long time ago. The day it was made it should have been released. Security-related item must be prioritized over any other fixes. Please make the release now and prove that you're good maintainers of your product.

[dillu24]

This has been open for far too long now. I expect a release ASAP to fix this issue once and for all, or at least some response from the devs.

[petetnt]

Hi,

the vulnerable code in yargs-parser is not actually used in CRA context. But all the security related things are taken very seriously and webpack-dev-server was already updated in #8975 and will be released in 4.0.0.

[petetnt]

See and comment #9131 on how to help with 4.0.0. crossing the finish line :)

[damien-git]

I hope you are not expecting users to update to 4.0.0, which could break many other things, to fix a security warning. This should be a minor update.

[mamtach]

I am also seeing this warning (from today only), please help if you have any update or solution.

-And I have reinstalled the npm packages and other steps given in this forum, but warning doesn't go away.

[andrewsteadcc]

You can resolve this by updating you package-lock.json file

Update yargs-parser 11.1 to 13.1.2 in all instances.

Also in that file, anywhere that you find yargs-parser been included with a version and a registry link, update it to the 13.1.2 using the details below

"version": "13.1.2",
"resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.2.tgz",
"integrity": "sha512-3lbsNRf/j+A4QuSZfDRA7HRSfWrzO0YjqTJd5kjAq37Zep1CEgaYmrH9Q3GwPiB9cHyd1Y1UwggGhJGoxipbzg==",

This is how I resolve this in our CI/CD pipeline

[mamtach]

Thanks @andrewsteadcc , these steps have removed the warning.

[sonikamah]

Thanks ... this hack worked for me as well .. Thanku soo much ...

On Thu, 25 Jun 2020 at 4:39 PM, Mamta ***@***.***> wrote: Thanks @andrewsteadcc <https://github.com/andrewsteadcc> , these steps have removed the warning. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#9033 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACBK5CGQJXXR7T2WJEJDSNDRYMV5TANCNFSM4NFDKVZA> .

-- Sent from I phone

[shawntax]

An absolute bunch of BALONEY that it's been 50 days and we can't get a minor update to fix a vulnerability.

[sonikamah]

Truee ....

On Thu, 9 Jul 2020 at 1:16 AM, shawn ***@***.***> wrote: An absolute bunch of BALONEY that it's been 50 days and we can't get a minor update to fix a vulnerability. <https://camo.githubusercontent.com/ec64e8072bf6cfcd2a36527aef81df35b5b38e1e/68747470733a2f2f6d65646961322e67697068792e636f6d2f6d656469612f645838524344437a766230355963714e45622f67697068792e6769663f6369643d656366303565343730326564396538333239323463646438646637363963336161353735373935613961343135356164267269643d67697068792e676966> — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#9033 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACBK5CC5V7KQGTPCCX6MZ5LR2TEKJANCNFSM4NFDKVZA> .

-- Sent from I phone

[dillu24]

2 months for a vulnerability fix is ridiculous.

[calderaax]

this seems to be fixed already but is not available on npm repos.
The web-dev-server is already implementing yargs": "^13.3.2"
webpack/webpack-dev-server#2612

and react-script is already implementing last version of web-dev-server "3.11.0"
#8975
#8970

What i don't understand is the "not yet released". Anyone could give more information about this?

thanks

[shawntax]

@calderaax That is the golden question, my friend. Only the CRA team can give us more information on why they are choosing not to create a minor release. Currently, their plan is to wait until 4.0.0 is ready.

[iansu]

We've updated webpack-dev-server to the latest version in preparation for the 4.0 release. This should be fixed in that release.

[eMarek]

My product manager kicks me in the ass if I close a ticket which is not really resolved.

[gmeben]

For any onlookers confused, here's the sequence of events as I'm able to trace it:

1. On February 14th, 2020, create-react-app v3.4.0 was released.
2. A vulnerability with yargs-parser versions <=13.1.2, 14.0.0 - 15.0.0, 16.0.0 - 18.1.0 was disclosed on March 16th, 2020 by Snyk Security Team on their website.
3. This vulnerability propagated to create-react-app v3.4.0 as yargs-parser is a dependency of yargs, a dependency of webpack-dev-server, a dependency of react-scripts, which is a dependency of create-react-app.
4. On March 20th, 2020, create-react-app v3.4.1 was released.
5. On April 30th, 2020, the vulnerability from yargs-parser was disclosed publicly to create-react-app maintainers.
6. On May 8th, 2020, the vulnerability within webpack-dev-server was fixed by upgrading its yargs dependency to a later version 13.3.2.
7. Later that same day, the vulnerability within react-scripts was fixed by upgrading its webpack-dev-server dependency to the newly released version 3.11.0. The fix was merged into the master branch, but a new release for version 3.4.2 was not tagged to trigger the fix automatically for users.
8. As of July 22nd, 2020, create-react-app maintainers have indicated a preference for proceeding with including the fix in version 4 over of tagging a new minor or patch release for version 3.

tl;dr A tagged release for 3.4.2 to include the fix for this issue was never made by maintainers.

[rikoe]

I am a bit shocked that (1) this issue has been closed, (2) the create-react-app maintainers will expect people to do a major version upgrade to fix a security vulnerability that can be easily addressed with a simple npm dependency bump and a point release.

If version 4.0 was already released and the issue fixed in that version, I would still expect a 3.4.x version bump for people on that version who aren't ready to upgrade.

It's what other packages do 🤷‍♂️.

[tonix-tuft]

Why doesn't react-scripts depend on webpack-dev-server using the caret ^ in the dependency version, e.g. webpack-dev-server: "^3.10.3", this would be enough and when we run npm update things will fix themselves.

The current published react-scripts depends on "webpack-dev-server": "3.10.3",, i.e. strictly version 3.10.3: https://unpkg.com/react-scripts@3.4.1/package.json

[tkw1536]

For those using yarn, a workaround might be to add a Selective dependency resolution. This can be done by adding the following to your package.json:

"resolutions": {
    "react-scripts/webpack-dev-server": "^3.10.3"
},

and then re-running yarn install.

When doing this locally I also needed to add SKIP_PREFLIGHT_CHECK=true to my .env. I consider this issue a major bug in create-react-app, and believe it should be re-opened.

[gaearon]

To be clear, the vulnerability has no actual effect on CRA apps. The description says it’s for a DDOS attack which is completely irrelevant because CRA doesn’t use WDS for production environments. (It doesn’t even have a production web server.)

While I agree that ideally a release should be cut to satisfy people affected by enterprise requirements, we are looking at a case of an overzealous audit checker, not an actual vulnerability that affects your apps.

[gaearon]

Hey all, I'd like to apologize for the delay here. We really dropped the ball on this, and I'm sorry for the frustration it caused. I've just cut react-scripts@3.4.2 which bumps us to webpack-dev-server@3.11.0 with the fix.

Again, I need to be clear that there was no actual vulnerability here at any point in time. It is unfortunate that in the JavaScript ecosystem, "audits" have an extremely low signal-noise ratio, and especially with the build tooling, very rarely reveal actual issues. If this were an actual vulnerability we'd definitely have prioritized cutting a patch on the same day. That said, I totally recognize that this is not an argument you can use in an enterprise deployment situation.

As @tkw1536 notes, Yarn has a feature called "resolutions" which lets you override transitive dependencies. I strongly recommend to use it whenever you have a problem like this which hasn't been addressed soon enough (for which, as I said earlier, I'm sorry).

To prevent this from happening again, I'm adding a dedicated reporting mechanism for security issues (5e41ca0) to this repo. We're not watching every thread and CRA is largely community-maintained, so please don't hesitate to escalate an issue to Facebook directly through that URL if it is an urgent security matter. Thank you!

[rikoe]

Thanks very much for addressing this @gaearon!

[mike-flores]

There appears to be another broken dependency.
serialize-javascript 2.1.2 is being used by react-scripts.

[gaearon]

@mike-flores this is not a clear report. Please file a new issue and describe what you’re reporting in more detail (“broken” how?)

[gaearon]

I’m locking because the discussion is starting to go offtopic and we risk losing important information in a closed issue.