[Bug] High Severity Vulnerabilities in Older react-scripts and node-sass and Nested Dependencies
mekkim opened this issue · comments
Version
Latest
Reproduction link
https://github.com/mekkim/donatemask
Operating System
All
Device
All
Browser & Version
All
Steps to reproduce
Run npm audit against latest branch.
What is expected?
No vulnerabilities in dependencies
What is actually happening?
38 vulnerabilities (20 moderate, 18 high) in dependencies.
npm audit fix advises that upgrades required to address vulnerabilities are breaking.
Solution
Dependencies and any resulting breaking feature changes should be resolved
react-scripts to version 5.0.0+
node-sass to version 7.0.1+
Additional comments
npm audit log: https://pastes.io/tr6m6umkip
Changing the dependencies in the package.json to the following:
"node-sass": "latest",
"react-scripts": "latest",
appears to address the issue. npm audit shows cyclic problems with /lower/ versions and npm audit fix --force will try to downgrade and then if run again, upgrade back and forth. Since latest versions are above the critical severity vulnerability versions, one can safely assume the remaining npm audit issues can be ignored.
Seems to install and run fine with latest versions of node-sass and react-scripts but I haven't thoroughly tested, so YMMV.
Actually, the other npm audit fix issues are nested dependency vulnerabilities that require npm shrinkwrap to address per: https://www.juliendesrosiers.com/2020/05/29/update-vulnerable-nodejs-nested-package.php
Final update: Whole issue can be addressed by changing the packages.json as follows:
"node-sass": "latest",
"react-scripts": "latest",
plus adding at the end:
"overrides": {
"glob-parent": "latest",
"nth-check": "latest"
}
Hi @mekkim,
Thank you for working with our products.
It seems like you using the React version of the Argon Design System. Can you please reopen this issue on its official repo: https://github.com/creativetimofficial/argon-design-system-react?
Thank you,
Rares