4

I want to deploy my app But there are 3 vulnerabilities I didn't understand how to slove them. i used npm audit fix also I sloved some vulnerabilities with manual updating them.so this is th manual review someone help me :

  Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Regular Expression Denial of Service

  Package         browserslist

  Patched in      >=4.16.5

  Dependency of   react-scripts

  Path            react-scripts > react-dev-utils > browserslist

  More info       https://npmjs.com/advisories/1747


  Moderate        Regular expression denial of service

  Package         glob-parent

  Patched in      >=5.1.2

  Dependency of   react-scripts

  Path            react-scripts > webpack > watchpack > watchpack-chokidar2 >
                  chokidar > glob-parent

  More info       https://npmjs.com/advisories/1751


  Moderate        Regular expression denial of service

  Package         glob-parent

  Patched in      >=5.1.2

  Dependency of   react-scripts

  Path            react-scripts > webpack-dev-server > chokidar > glob-parent

  More info       https://npmjs.com/advisories/1751

found 3 moderate severity vulnerabilities in 2195 scanned packages
  3 vulnerabilities require manual review. See the full report for details.
General Grievance
  • 4,555
  • 31
  • 31
  • 45
Azer8
  • 539
  • 8
  • 18
  • 1
    well, as the list suggests, the vulnerabilities have been fixed in respective packages and the patches versions are mentioned? Can you try upgrading them? – gsb22 Jul 24 '21 at 20:21

1 Answers1

2

The answer here gives a good explanation.

Normally, you would try these solutions, in order:

  • npm audit fix (it sounds like you have already done this)
  • npm audit fix --force
  • npm i react-scripts (the parent package of the package with the vuln)
  • npm i browserslist@4.16.5 glob-parent@5.1.2 (the vuln packages themselves)

However, we can see that (at the time I'm writing this) the issue is not resolved in react-dev-utils' package.json. Additionally, the package.json uses an exact version (no caret). These two facts mean that none of these solutions listed above will work.

You have two options:

  • clone the create-react-app repo, fix the versions yourself and use your cloned version instead of the real one
  • wait for create-react-app to fix it, at which point one of the solutions above should work

I would strongly suggest the latter approach.

Codebling
  • 10,764
  • 2
  • 38
  • 66