Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question About 6 high severity vulnerabilities #13227

Open
parmpreetnanrhe opened this issue Jun 11, 2023 · 9 comments · May be fixed by #13778
Open

Question About 6 high severity vulnerabilities #13227

parmpreetnanrhe opened this issue Jun 11, 2023 · 9 comments · May be fixed by #13778
Labels
needs triage

Comments

@parmpreetnanrhe
Copy link

I am getting this as message in my terminal that the package contains 6 high severity vulnerabilities. Is it safe to go with this package these days.

I am new with this type of project. I am unable to understand all things mentioned about this topic on internet. Can anyone help to understand, Is it really be a problem which can lead to data loss or backend tracking.

Screenshot 2023-06-11 004953
@dave9123
Copy link

Try running npm i @svgr/webpack --save-dev

@dave9123 dave9123 mentioned this issue Jun 11, 2023
Closed
@jrjake
Copy link

jrjake commented Jun 12, 2023

See issue #11174, it is OK to ignore this warning.

@denezra
Copy link

denezra commented Jun 16, 2023

@wfjake Hmm is there a way to fix this just to ignore it? Because this will cause to detect on my CSEC scan.

@dave9123
Copy link

Try running npm i @svgr/webpack --save-dev

Might help you :)

@denezra
Copy link

denezra commented Jun 20, 2023

@dave9123 Still the same good sir

image

@dave9123
Copy link

Can I see which package? npm audit report

@denezra
Copy link

denezra commented Jun 21, 2023
edited
Loading

Hi @dave9123, here's the npm audit report

image

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@2.1.3, which is a breaking change
node_modules/react-scripts/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/react-scripts/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/react-scripts/node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/react-scripts/node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/react-scripts/node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts

If the Devs truly abandoned this project(Based on this discussion here) I might try to migrate to other framework like Vite, Next, or Svelte.

@dave9123
Copy link

dave9123 commented Jun 21, 2023
edited
Loading

I forgot that you need to modify your nth-check version,

"overrides": { "nth-check": "2.0.1" },

Should be something like this
image
image

@dave9123
Copy link

Here's me being confused, again
image

@josefie josefie mentioned this issue Aug 1, 2023
Merged
@HiickFG HiickFG linked a pull request Jan 14, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs triage
Projects
None yet
Milestone
No milestone
4 participants
@denezra @dave9123 @jrjake @parmpreetnanrhe