Skip to content

OWASP Dependency Check found 83 Critical Security Vulnerabilities in react-scripts:4.0.1, 3.4.4 package #10323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
shrikantGitHVantara opened this issue Jan 1, 2021 · 1 comment
Closed

OWASP Dependency Check found 83 Critical Security Vulnerabilities in react-scripts:4.0.1, 3.4.4 package #10323

shrikantGitHVantara opened this issue Jan 1, 2021 · 1 comment
Labels
issue: bug report needs triage

Comments

@shrikantGitHVantara
Copy link

Hi,
I used OWASP Dependency Check jenkins plugin to detect security vulnerability in my reactjs application built using create-react-app cli. Mainly critical issues are due to these packages present in react-scripts:4.0.1 and 3.4.4
[email protected] > [email protected] (most of the issues are due to this package)
[email protected] > [email protected] - >=3.0.2
[email protected] > -- [email protected] – upgrade set-value >=3.0.0 [email protected] > -- [email protected] - > upgrade merge >=1.2.1
[email protected] > [email protected] - <2.0.2, ~<3.0.2
[email protected] > [email protected] - > 0.11.2
[email protected] > [email protected] - > 4.17.12

Steps to reproduce it.

  1. build react application using create-react-app
  2. use OWASP Dependency Check maven/Jenkins plugin to scan project.
  3. see the report clicking on 'Dependency Check' link once project is built.

Here is snapshot of report.
Sec_VulnerabilityIssues
This is our package.json
"dependencies": {
"@hv/uikit-react-core": "^3.5.1",
"@hv/uikit-react-icons": "^3.1.0",
"@hv/uikit-react-lab": "^3.0.7",
"@material-ui/core": "^4.11.2",
"@material-ui/lab": "^4.0.0-alpha.57",
"@testing-library/jest-dom": "^4.2.4",
"@testing-library/react": "^9.3.2",
"@testing-library/user-event": "^7.1.2",
"axios": "^0.21.1",
"core-js": "^3.8.1",
"dayjs": "1.8.26",
"easy-soap-request": "^4.1.1",
"node-sass": "^4.14.1",
"plotly.js-basic-dist": "^1.58.4",
"react": "^16.13.1",
"react-app-polyfill": "^1.0.6",
"react-cron-builder": "1.0.4",
"react-dom": "^16.13.1",
"react-google-charts": "3.0.15",
"react-idle-timer": "4.2.12",
"react-monaco-editor": "^0.36.0",
"react-redux": "^7.2.0",
"react-router-dom": "^5.1.2",
"react-scripts": "^4.0.1",
"redux": "^4.0.5",
"redux-saga": "^1.1.3",
"xml2js": "^0.4.23"
}

Please suggest a remediation for these issues.
@gaearon
Copy link
Contributor

gaearon commented Feb 18, 2021

There is no actual vulnerability here. This is a transitive dependency of webpack (a build tool — not a part of your app!), and you can bring it up with them, but we're not using webpack in any way that would cause this vulnerability to affect your project.

@gaearon gaearon closed this as completed Feb 18, 2021
@gaearon gaearon mentioned this issue Mar 9, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gaearon @shrikantGitHVantara