React-Scripts dependencies with CVEs

[kevinfealey]

Is your proposal related to a problem?

Snyk reports vulnerabilities in react-scripts dependency tree:

✗ Medium severity vulnerability found in dot-prop

Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-DOTPROP-543489

Introduced through: react-scripts@3.3.1
From: react-scripts@3.3.1 > optimize-css-assets-webpack-plugin@5.0.3 > cssnano@4.1.10 > cssnano-preset-default@4.0.7 > postcss-merge-rules@4.0.3 > postcss-selector-parser@3.1.1 > dot-prop@4.2.0
From: react-scripts@3.3.1 > optimize-css-assets-webpack-plugin@5.0.3 > cssnano@4.1.10 > cssnano-preset-default@4.0.7 > postcss-minify-selectors@4.0.2 > postcss-selector-parser@3.1.1 > dot-prop@4.2.0
From: react-scripts@3.3.1 > optimize-css-assets-webpack-plugin@5.0.3 > cssnano@4.1.10 > cssnano-preset-default@4.0.7 > postcss-merge-longhand@4.0.11 > stylehacks@4.0.3 > postcss-selector-parser@3.1.1 > dot-prop@4.2.0
Fixed in: 5.1.1

✗ Medium severity vulnerability found in @hapi/hoek

Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-HAPIHOEK-548452

Introduced through: react-scripts@3.3.1
From: react-scripts@3.3.1 > workbox-webpack-plugin@4.3.1 > workbox-build@4.3.1 > @hapi/joi@15.1.1 > @hapi/hoek@8.5.0
From: react-scripts@3.3.1 > workbox-webpack-plugin@4.3.1 > workbox-build@4.3.1 > @hapi/joi@15.1.1 > @hapi/topo@3.1.6 > @hapi/hoek@8.5.0
Fixed in: 8.5.1, 9.0.3

Please note that although the above references react-scripts@3.3.1, v3.4.0 has not updated these dependencies and therefore has the same problem.

Describe the solution you'd like

Release a new version of react-scripts that updates to the latest versions of workbox-webpack-plugin and optimize-css-assets-webpack-plugin, which should resolve this issue.

Describe alternatives you've considered

None

Additional context

N/A

[krisgerhard]

I'll add some from react-scripts@3.4.1 (latest)

Description: Prototype Pollution
Info: https://app.snyk.io/vuln/SNYK-JS-YARGSPARSER-560381**

Introduced through: react-scripts@3.4.1 › webpack-dev-server@3.10.3 › yargs@12.0.5 › yargs-parser@11.1.1

[shmily40686]

+1 for yargs-parser

[MrMonsk]

yargs-parser has had breaking changes in its releases since 16.1.0: https://github.com/yargs/yargs-parser/releases

In the meantime, forcing resolution to an pre-breaking change release of yargs-parser seems to work

[thecaptain10]

any version of react-scripts package without this vulnerability?

[vikramdadwal]

any fix planned for yargs-parser ?

[ianschmitz]

Please file with webpack-dev-server about yargs-parser. There's nothing we can from our end to update their dependencies.

[priegger]

There is a webpack-dev-server issue: webpack/webpack-dev-server#2559

[mhassan1]

FYI: webpack/webpack-dev-server#2581 has been merged and yargs-parser@3.11.0 has been released with the fix.

I've opened a PR here to upgrade yargs-parser: #8975

[mhassan1]

When might we expect the next release of react-scripts?

[dillu24]

When might we expect the next release of react-scripts?

Hope that this is soon because a new high priority vulnerability has been raised now:

Denial of Service in the web-pack dependency

[matteofigus]

@ianschmitz @iansu do you know when the next release will happen? I think it would be nice if we could get security related changes published as soon as possible after being reviewed and merged.

I would love to help if I can. If there are specific tasks needed or technical blockers, I would be happy to be involved and pick up some work?

[sonikamah]

I am also getting this error for react-scripts > webpack-dev-server > yargs > yargs-parser, Is there any solution to it ? My website build is getting failed because of this error.

                  === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of react-scripts [dev]

Path react-scripts > webpack-dev-server > yargs > yargs-parser

More info https://npmjs.com/advisories/1500

found 1 low severity vulnerability in 1690 scanned packages
1 vulnerability requires manual review. See the full report for details.