Skip to content

browserlist Security Vulnerability #11077

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
zpeterson opened this issue Jun 8, 2021 · 6 comments
Closed

browserlist Security Vulnerability #11077

zpeterson opened this issue Jun 8, 2021 · 6 comments
Labels
issue: bug report needs triage

Comments

@zpeterson
Copy link

Your dependency on browserslist v4.14.2 is vulnerable and needs to be updated here: react-dev-utils/package.json#L57.
@zpeterson zpeterson mentioned this issue Jun 8, 2021
Closed
@ohhyunjin
Copy link

ohhyunjin commented Jun 8, 2021
edited
Loading

Not sure if I can mention this here, but there's also a vulnerability issue I'm getting in a project, which is with postcss dependency in react-scripts and Github Dependabot is telling me to upgrade to v8.2.10 or later

UPDATE
After a few days, today, I got another alert now with another dependency: normalize-url and it won't let me update to a non-vulnerable version due to conflicting dependencies with react-scripts. Screenshot attached below.
Screen Shot 2021-06-12 at 9 13 01

@thisKeeWord
Copy link

^ likewise

@ohhyunjin
Copy link

Any updates on this issue? I keep getting vulnerability alerts in my repo.

@croraf
Copy link

croraf commented Jun 21, 2021
edited
Loading

Can this be closed in favor of: #11012 ?

@stahlmanDesign stahlmanDesign mentioned this issue Jun 21, 2021
Open
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

@gaearon gaearon closed this as completed Jul 2, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 2, 2021
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

Please see #11174.

# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gaearon @ohhyunjin @thisKeeWord @croraf @zpeterson