Skip to content

npm audit failure (high) due to "css-what" #11067

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
rprakash05 opened this issue Jun 8, 2021 · 7 comments
Closed

npm audit failure (high) due to "css-what" #11067

rprakash05 opened this issue Jun 8, 2021 · 7 comments
Labels
issue: bug report needs triage

Comments

@rprakash05
Copy link

Describe the bug

npm audit currently fails on react-scripts@4.0.3 due to a high security vulnerability in css-what. The dependency paths are as follows.

  1. react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > css-select > css-what .
  2. react-scripts > optimize-css-assets-webpack-plugin > cssnano > cssnano-preset-default > postcss-svgo > svgo > css-select > css-what
  3. react-scripts > html-webpack-plugin > pretty-error > renderkid > css-select > css-what
    The respective npm advisory is at https://www.npmjs.com/advisories/1745.

Steps to reproduce

  1. Run npm audit on react-scripts@4.0.3
  2. Try to run npm audit fix
  3. Confirm that the fix was not auto resolved.

Expected behavior

npm audit can exit successfuly.

Actual behavior

npm audit fails
@emiwidknowit
Copy link

Would be great to get this prioritized 👍

@Raynesz
Copy link

Raynesz commented Jun 8, 2021

So i am new to web development and using react. I recently realised that there are a lot of vulnerable packages in react-scripts. those dont seem to be fixable with "npm audit fix" and require a manual review. I searched around and there doesn't seem to a proper fix so far. Do we just have to wait for a new CRA version?

@stahlmanDesign
Copy link

So i am new to web development and using react. I recently realised that there are a lot of vulnerable packages in react-scripts. those dont seem to be fixable with "npm audit fix" and require a manual review. I searched around and there doesn't seem to a proper fix so far. Do we just have to wait for a new CRA version?

This same scenario happened a few weeks ago with the lib dns-packet. What usually happens is that a dependency of a dependency is fixed so that npm audit fix will apply the patch without react-scripts being updated. Hopefully in a few days. If your build tools prevent building with high vulnerabilities, you might have to allow bypass.

@stahlmanDesign
Copy link

Duplicate #11081

@stahlmanDesign stahlmanDesign mentioned this issue Jun 21, 2021
Open
@Primajin
Copy link
Contributor

Another one is #11012

@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021
edited
Loading

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

@gaearon gaearon closed this as completed Jul 2, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 2, 2021
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

Please see #11174.

# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gaearon @stahlmanDesign @Primajin @Raynesz @emiwidknowit @rprakash05