1

react-dev-utils@11.0.4 installing a vulnerable version of browserlist, browserslist@4.14.2, although we have updated package on github. https://github.com/facebook/create-react-app/blob/main/packages/react-dev-utils/package.json#L57

[to test out, you may simple create any folder and do npm i react-dev-utils and then check it using npm ls browserlist]

I dont get, what all are the constraint for this. (I dont see any package-lock.json for this package, which could be a potential reason for the vuln). older version has reported vulnerability CVE-2021-23364.

Hari Kishore
  • 2,201
  • 2
  • 19
  • 28
  • FYI, there is no actual security issue for `react-dev-tools` here, since it doesn't parse user-provided browser queries. – smitop Dec 10 '21 at 18:21
  • okay thanks, that might be the case probably, but anyways I want update package to one without any reported vulns. – Hari Kishore Dec 10 '21 at 18:25

1 Answers1

1

react-dev-utils@11.0.4 installing a vulnerable version of browserlist, browserslist@4.14.2, although we have updated package on github

This is because that package.json file resides in the default branch which usually contains the latest or development code. At the time you posted the question, that change was not published to the npm registry.

react-dev-utils@11.0.4 has browserslist@4.14.2 listed in its package so that's the version that will be installed. Reference: https://cdn.jsdelivr.net/npm/react-dev-utils@11.0.4/package.json

You need atleast react-dev-utils@12.0.0 to fix that vulnerability. See the versions tab.

[to test out, you may simple create any folder and do npm i react-dev-utils and then check it using npm ls browserlist]

Running that command will install the latest version of react-dev-utils, which now has no vulnerability. So it will fix your issue.

I dont see any package-lock.json for this package, which could be a potential reason for the vuln

package-lock.json cannot be published to registry, only the top level lock file is respected. Reference: Should package-lock.json also be published?

this may be an example package, but how in general we update to latest package? have tried npm update as well.

npm update respects the semver range that you've set in your package.json. If its like "react-dev-utils": "11.0.4" that command won't do anything. If its "react-dev-utils": "^11.0.4", it will try to update to the latest 11.x.x version which you are already on, so again it won't do anything. Reference: npm update does not do anything

In general if you want to upgrade every direct dependency to latest version you can use npm-check-updates before running npm update. Refer https://nodejs.dev/learn/update-all-the-nodejs-dependencies-to-their-latest-version for detailed guide. Related: How to update each dependency in package.json to the latest version?

Now, if it is not a direct dependency, as was in your case, you can force resolutions. This is natively supported in Yarn and NPM v8.3.0 and above. In older NPM versions you need to use a dependency like npm-force-resolutions. Related thread: npm equivalent of yarn resolutions?

There are much more related threads that you can easily find by searching on the web.

brc-dd
  • 10,788
  • 3
  • 47
  • 67
  • Thanks for the detailed answer, will dig deeper and try to understand. its not just about this single package in create-react-app, but many others. will take the approach you suggested and if further issues, will ask in thread. thanks! – Hari Kishore Dec 28 '21 at 07:23