How to fix npm package braces issue with react-scripts v2.1.5 when npm audit does nothing?

Question

My NPM package in my react client folder is giving me 63 low vulnerabilities all dealing with the braces package mainly in the jest folder of the react-scripts package of version 2.1.5. NPM Audit fix doesn't work, what do I do?

I've tried downgrading to previous versions of react-scripts, updating braces either through updating the package.json, deleting the package lock, and running npm install again, or running npm update braces, but nothing has worked after 2 hours of fiddling. I've also tried to revert to a previous version of my Github package.json when it was working. I believe it stopped working after I tried to download firebase-ui, but I think it has to do with updating the packages since I've deleted the node modules and npm installing several times.

Here's what my clean package.json that's messing up.

"webpack-dev-server": "3.1.14",
"@babel/core": "*",
"axios": "*",
"body-parser": "*",
"bootstrap": "*",
"cors": "*",
"dotenv": "*",
"draft-js": "*",
"draft-js-export-html": "*",
"errorhandler": "*",
"express": "*",
"express-session": "*",
"history": "*",
"jquery": "*",
"moment": "*",
"mongoose": "*",
"morgan": "*",
"node-sass-chokidar": "*",
"npm-run-all": "*",
"path": "*",
"query-string": "*",
"react": "*",
"react-dom": "*",
"react-loadable": "*",
"react-redux": "*",
"react-router-dom": "*",
"react-router-redux": "*",
"react-scripts": "*",
"react-validation": "*",
"reactstrap": "*",
"recharts": "*",
"redux": "*",
"redux-logger": "*",
"redux-observable": "*",
"redux-thunk": "*",
"rxjs": "*",
"rxjs-compat": "*",
"validator": "*"

And here's the issue I'm getting:

Low Regular Expression Denial of Service

Package braces

Dependency of react-scripts

Path react-scripts > jest > jest-cli > micromatch > braces

More info https://nodesecurity.io/advisories/786

score 16 · Accepted Answer · answered Feb 17 '19 at 17:25

16

I ran npm install braces@2.3.1 and then npm update

That still resulted in the 63 vulnerabilities but it did bring my braces to the current version. So I went through and updated ALL references of braces in the package-lock.json to 2.3.2. I then ran npm update again and when I ran npm audit the vulnerabilities were gone.

answered Feb 17 '19 at 17:25

jeffdstephens

320
2
4

Are there any semver breaking changes issue as the npm audit suggests there could be? – Mathew Feb 18 '19 at 10:44
I followed these instructions and updated via `npm update` after and the warning disappeared for me as well – Jonathan Sexton Feb 21 '19 at 11:32
7

I did that with no success :( – Daniella Mar 05 '19 at 13:51
3

-1 for suggestion of editing package-lock.json @Jony It works but you should NOT be doing this. It's a generated file for a reason. – Emobe Nov 15 '19 at 12:04
1

@Emobe Then, what's your suggestion? – Jony Nov 18 '19 at 06:16
@Jony My suggestion is to NOT edit package-lock.json – Emobe Nov 20 '19 at 10:56

score 4 · Answer 2 · answered Feb 18 '19 at 11:36

4

Jest is a test package and will never appear in you production bundle, you can ignore this vulnerability without risks.

This package https://github.com/naugtur/npm-audit-resolver#readme can help you to ignore low vulnerabilities.

answered Feb 18 '19 at 11:36

Alexandre Behaghel

69
4

4

Although it won't affect production code, vulnerabilities in the developer dependencies might still affect your developers or build process. – Wes Souza Mar 14 '19 at 18:16

score 1 · Answer 3 · answered Feb 11 '20 at 14:52

I was able to resolve similar issue with resolutions field followed by yarn install -

  "resolutions": {
    "braces": "= 2.3.1"
  }

I've inspected yarn.lock and verified that only relevant dependency was updated.

There is more on the topic here - https://github.com/yarnpkg/yarn/issues/4986.

How to fix npm package braces issue with react-scripts v2.1.5 when npm audit does nothing?

3 Answers3