Skip to content
GitLab
Open
Issue created by Administrator@rootContributor

Critical vulnerability in react-scripts package due to the package version is not updated

Created by: vveselov

Describe the bug

Yarn audit command shows critical vulnerability for immer package:

 my-app % yarn audit --level critical
yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in immer                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=9.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > react-dev-utils > immer                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1002492                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
115 vulnerabilities found - Packages audited: 1682
Severity: 85 Moderate | 29 High | 1 Critical

package.json file for react-dev-utils package uses the correct version of immer. However, since the version of react-script package was not changed (still 4.0.3 for last 8 months) the update is not published to package repositories (npm, yarn).

Did you try recovering your dependencies?

Yes, I did

Which terms did you search for in User Guide?

Fix vulnerabilities

Environment

Environment Info:

  current version of create-react-app: 4.0.3
  running from /Users/veselov/.npm/_npx/c67e74de0542c87c/node_modules/create-react-app

  System:
    OS: macOS 10.15.7
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
  Binaries:
    Node: 14.15.4 - /usr/local/bin/node
    Yarn: 1.22.10 - ~/homebrew/bin/yarn
    npm: 7.22.0 - ~/homebrew/bin/npm
  Browsers:
    Chrome: 94.0.4606.71
    Edge: Not Found
    Firefox: 91.1.0
    Safari: 15.0
  npmPackages:
    react: ^17.0.2 => 17.0.2 
    react-dom: ^17.0.2 => 17.0.2 
    react-scripts: ^4.0.3 => 4.0.3 
  npmGlobalPackages:
    create-react-app: Not Found

Steps to reproduce

(Write your steps here:)

  1. Generate my-app
npx create-react-app my-app
cd my-app
  1. Run audit
yarn audit --level critical

Expected behavior

Expect not to have any critical vulnerabilities

Actual behavior

See above

Reproducible demo

Use the current version of create-react-app

Possible security incident Possible compliance risk