6 high severity vulnerabilities in react-icons 4.4.0

Question

    # npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

I am using npm 8.12.1 and node 16.15.1. reacts icons just released its 4.4.0 which I tried to install and end up in this message. I tried npm audit fix --force. Vulnerability and seviourity remains same. I would like to have your opinion on this message. So if react-icons is not safe which package is an alternative for icons?

Answer 1

Had a similar issue. This helped me understand.

https://github.com/facebook/create-react-app/issues/11174

Edit:

npm audit is broken for front-end tooling by design

More reading here: https://overreacted.io/npm-audit-broken-by-design/

Create React App is a build tool. In other words, it doesn't produce a running Node application. It runs at the build time during development, and produces static assets.

However, npm audit is designed for Node apps so it flags issues that can occur when you run actual Node code in production. That is categorically not how Create React App works.

This means that the overwhelming amount of "vulnerability" reports we receive for transitive dependencies are false positives. Despite literally a hundred issues with thousands of comments about npm audit warnings in react-scripts, throughout the years not a single one of them (to the best of our knowledge) has ever been a real vulnerability for CRA users.

If you'd like to still fix the warnings:

Open package.json. You will find this:

"dependencies": { "react": "^17.0.2", "react-dom": "^17.0.2", "react-scripts": "4.0.3" }

Take react-scripts and move it to devDependencies (if you don't have it, create it):

"dependencies": { "react": "^17.0.2", "react-dom": "^17.0.2" }, "devDependencies": { "react-scripts": "4.0.3" },

Then, ensure you run npm audit --production rather than npm audit.

This will fix your warnings.

Answer 2

Not all vulnerabilities are the same. I have this exact same error and further research showed me it is common and - in my case - it can be ignored (using npm view nth-check version shows I have a later version than the error suggests, and I do not believe the vulnerability presents a security concern)

Also do not use npm audit fix --force blindly. For example, in my case it would force a downgrade of nth-check and react-scripts versions, which would introduce vulnerabilities that might be worse.

Further research on this showed me it's pretty normal/common to not have 0 vulnerabilities? And each one needs to be weighed on the merit of what you are building so is likely a personal research decision.

Answer 3

I resolved the conflicts that way, changing to these versions:

"react": "^18.2.0",
"react-dom": "^18.2.0",
"devDependencies": {
    "react-scripts": "5.0.1",
}