Razzle utilizes vulnerable versions of browserslist and minimatch as nested dependencies, causing security issues.
Shilpashree-BN opened this issue Β· comments
Shilpashree-BN commented
π Bug report
Razzle utilizes vulnerable versions of browserslist and minimatch as nested dependencies, causing security issues.
browserslist:
- browserslist is the dependency required by react-dev-utils
- react-dev-utils should be 12.0.0 or above to have next non-vulnerable version of browserslist
- even the latest version of razzle-dev-utils package uses react-dev-utile of the version ^11.0.0
- both react-dev-utils & razzle-dev-utils are required by razzle, even latest version of razzle (4.2.18) uses react-dev-utils: ^11.0.4 & razzle-dev-utils: 4.2.18, which has vulnerable version of browserslist
minimatch:
- minimatch is the dependency required by wallby-webpack and recursive-readdir
- even the latest version of wallby-webpack (3.9.16) uses non-vulnerable version of minimatch.
- minimatch required by recursive-readdir which is required by react-dev-utils which is the dependency of razzle.
- To have non vulnerable version of minimatch, react-dev-utils should be updated to 12.0.0, but even the latest version of razzle uses 11.0.4 (not the latest version)
Expected behavior:
Expecting a way to handle this.