[Snyk] Fix for 9 vulnerabilities

[saurabharch]

Snyk has created this PR to fix 9 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• packages/react-scripts/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	786
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	756
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	696
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	696
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	589
	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	579
	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	494
	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	494
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	479

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[gemini-code-assist]

Summary of Changes

Hello @saurabharch, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request is an automated security update initiated by Snyk to enhance the project's security posture. It aims to mitigate 9 identified vulnerabilities by upgrading specific npm dependencies, thereby reducing potential risks associated with outdated or compromised packages.

Highlights

• Vulnerability Fixes: This pull request addresses and fixes 9 identified security vulnerabilities within the project's npm dependencies. These vulnerabilities range in severity from critical to medium, including issues like Incomplete List of Disallowed Inputs, Regular Expression Denial of Service (ReDoS), Excessive Platform Resource Consumption, and Improper Verification of Cryptographic Signature.
• Dependency Upgrades: The resolution for these vulnerabilities is achieved by upgrading several key npm packages. This includes significant version bumps for babel-eslint, react-dev-utils, uglifyjs-webpack-plugin, and webpack-dev-server.
• Automated Remediation: The pull request was automatically generated by Snyk, a security platform, indicating an automated process for identifying and proposing fixes for known vulnerabilities in the project's dependencies.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, aims to fix 9 security vulnerabilities by upgrading several npm dependencies. However, the proposed upgrades include multiple major version bumps for key development dependencies like babel-eslint, react-dev-utils, and webpack-dev-server. My review has identified that these upgrades introduce significant breaking changes that will cause the application's build and development server to fail. The automated version bumps do not account for the necessary code migrations for new APIs and configuration schemas. Therefore, while the intent to fix vulnerabilities is correct, this PR in its current state cannot be merged. A manual, more comprehensive upgrade of the toolchain is required.

[gemini-code-assist]

The update of babel-eslint to version 10.1.0 introduces a breaking change that will cause the build to fail.

• Peer Dependency Conflict: [email protected] has a peer dependency on eslint@>=6, but this project uses [email protected]. This version mismatch will lead to installation errors and break the linting process.
• Package Deprecation: babel-eslint is deprecated and has been superseded by @babel/eslint-parser. A proper upgrade should involve migrating to the new package and updating eslint and its related configurations accordingly.

[gemini-code-assist]

The major version upgrade of react-dev-utils from ^5.0.0 to ^12.0.0 introduces significant breaking API changes that will break the development server.

For example, the createCompiler function from react-dev-utils/WebpackDevServerUtils has changed its signature. The existing code in scripts/start.js calls it with positional arguments, but the new version expects a single options object. This will cause a runtime error when starting the development server.

A manual migration of the scripts using this utility is required to accommodate the new API.

[gemini-code-assist]

Upgrading webpack-dev-server from v3 to v4 is a major undertaking with numerous breaking changes that will break the development server.

1. Configuration Incompatibility: The configuration file config/webpackDevServer.config.js uses many options that were removed or renamed in v4 (e.g., disableHostCheck, contentBase, quiet, before). The server will fail to start with the current configuration.
2. Constructor Change: The WebpackDevServer constructor signature changed from new WebpackDevServer(compiler, options) to new WebpackDevServer(options, compiler). The call in scripts/start.js uses the old signature and will fail.

This update requires a complete rewrite of the webpack dev server configuration and instantiation logic.

[gemini-code-assist]

This PR updates uglifyjs-webpack-plugin from 1.2.5 to 2.0.0. While this fixes a vulnerability, it's important to note that this package is deprecated. The recommended replacement is terser-webpack-plugin, which is used in modern versions of create-react-app and provides better ES6+ minification support.

Given that other dependencies in this PR are major versions with breaking changes, a piecemeal upgrade is risky. It would be safer to perform a more holistic upgrade of the build toolchain, including moving to terser-webpack-plugin.