update vulnerable dependencies

[juliocarneiro]

Describe the bug

Snyk acuse vulnerable dependencies in react-scripts

Did you try recovering your dependencies?

yes

Which terms did you search for in User Guide?

(Write your answer here if relevant.)

Environment

System:
OS: Windows 10 10.0.19044
CPU: (4) x64 Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
Binaries:
Node: 16.13.2 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.17 - C:\Program Files\nodejs\yarn.CMD
npm: 8.5.0 - C:\Program Files\nodejs\npm.CMD
Browsers:
Chrome: Not Found
Edge: Spartan (44.19041.1266.0), Chromium (98.0.1108.50)
Internet Explorer: 11.0.19041.1202
npmPackages:
react: ^17.0.2 => 17.0.2
react-dom: ^17.0.2 => 17.0.2
react-scripts: 5.0.0 => 5.0.0
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

(Write your steps here:)

1. Open cra project in vscode
2. Install Snyk plugin
3. Access snyk tab and play plugin

Expected behavior

There should be no vulnerabilities

Actual behavior

Regular Expression Denial of Service (ReDoS)
Vulnerability | CVE-2021-3803 | CWE-1333 | CVSS 7.5 | SNYK-JS-NTHCHECK-1586032
Vulnerable module
nth-check
Introduced through
react-scripts@5.0.0
Fixed in
nth-check@2.0.1
Exploit maturity
Not Defined
Detailed paths
Introduced through: react-chrome-extension@2.0.0 > react-scripts@5.0.0 > @svgr/webpack@5.5.0 > @svgr/plugin-svgo@5.5.0 > svgo@1.3.2 > css-select@2.1.0 > nth-check@1.0.2
Remediation: Upgrade nth-check to version 2.0.1 or higher. (@svgr/webpack@5.5.0 to @svgr/webpack@6.2.1)

---

Regular Expression Denial of Service (ReDoS)
Vulnerability | CVE-2021-33587 | CWE-400 | CVSS 5.3 | SNYK-JS-CSSWHAT-1298035
Vulnerable module
css-what
Introduced through
react-scripts@5.0.0
Fixed in
css-what@5.0.1
Exploit maturity
Not Defined
Detailed paths
Introduced through: react-chrome-extension@2.0.0 > react-scripts@5.0.0 > @svgr/webpack@5.5.0 > @svgr/plugin-svgo@5.5.0 > svgo@1.3.2 > css-select@2.1.0 > css-what@3.4.2
Remediation: Upgrade css-what to version 5.0.1 or higher. (@svgr/webpack@5.5.0 to @svgr/webpack@6.2.1)

Reproducible demo

https://github.com/juliocarneiro/react-chrome-extension

1. Open project in vscode
2. Install Snyk plugin
3. Access snyk tab and play plugin

This can be fixed by updating the @svgr/webpack dependency in react-scripts to latest version (6.2.1) - https://github.com/facebook/create-react-app/blob/main/packages/react-scripts/package.json#L33

[NapalmCodes]

Any ETA on this? Snyk promoted to a high severity vulnerability. Utilizing overrrides for now.

[struginskij]

Any update?

[satori-code]

Any update?

[OmegaDL2]

Do you have any timetable where this might get fixed?

[samanehsan]

This is triggering a high-severity alert in dependabot as well: https://github.com/DataBiosphere/jade-data-repo-ui/security/dependabot/12

[rishabhdugar]

This is showing as high vulnerability for us and dependency on react-scripts 5.0.0CVE-2021-3803 , any pointers/eta on this will be helpful

[juliocarneiro]

Any update?