1

I have ran npm audit in my project and I've got the following results.

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @svgr/webpack@6.5.1, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack

5 high severity vulnerabilities

I'm concerned about the Will install @svgr/webpack@6.5.1, which is a breaking change, I mean, not sure if it will actually break anything in my project. How can I handle this?

florinpavel
  • 35
  • 5
  • Does this answer your question? [How do I override nested NPM dependency versions?](https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions) – Xiduzo Dec 08 '22 at 10:44
  • @Xiduzo It's not necessarily about finding a solution, but understanding it aswell. Overriding, how will it help me fix the errors? Will it become a breaking change for the packages that use it? I see the svg/webpack extension is used in webpack config, which I am not very confortable with so I can't check for sure if it will continue to work fine after doing the override. – florinpavel Dec 08 '22 at 13:22
  • By overriding the package version you can force NPM to install a specific version in which this `Regular Expression Complexity` won't be there. This can be done by either down- or upgrading the version which is required by the main package. As I mentioned in my answer: this can break the main package you are trying to install as it might depend on new functionality added in the package you are overriding. Check out the official NPM documentation about it: https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides – Xiduzo Dec 09 '22 at 08:27

1 Answers1

0

In your package.json you can overwrite the resolution of your specific packages.

"overrides": {
    "YOUR_PACKAGE_HERE": "YOUR_VERISON_HERE"
  },

Bear in mind, this can break the main package you are trying to install as it might depend on new functionality added in the package your are overwriting.

Xiduzo
  • 897
  • 8
  • 24