react-scripts 5.0.1 having vulnerable transitive libraries #12851

aish110 · 2022-11-15T11:52:51Z

We are using react-scripts 5.0.1 library, and facing some security vulnerabilities in its dependent packages.

nth-check v1.0.2 - vulnerable to Inefficient Regular Expression Complexity
loader-utils v2.0.2 - A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js
minimatch v3.0.4 - A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

These packages if upgraded to the below versions will fix the vulnerabilities:
nth-check v2.0.1
minimatch v3.0.5

Please upgrade react-scripts with transitive dependencies security patches.

wozzo · 2022-11-16T18:07:20Z

PR #12172 should resolve all of those, but no work has been done on this repo since September from the looks of it.

mark-wiemer · 2023-02-20T07:35:23Z

See #11174, this is a non-issue

ethhandy · 2024-09-02T12:41:15Z

No update on this yet? I am having the same issue.

Node version: v14.18.3
Npm version: 6.14.15

aish110 added issue: bug report needs triage labels Nov 15, 2022

cogwirrel mentioned this issue Dec 16, 2022

chore: upgrade minimatch/loader-utils for dependabot alerts (really) aws/aws-pdk#255

Merged

Provide feedback