Description
Hi,
I used OWASP Dependency Check jenkins plugin to detect security vulnerability in my reactjs application built using create-react-app cli. Mainly critical issues are due to these packages present in react-scripts:4.0.1 and 3.4.4
[email protected] > [email protected] (most of the issues are due to this package)
[email protected] > [email protected] - >=3.0.2
[email protected] > -- [email protected] – upgrade set-value >=3.0.0 [email protected] > -- [email protected] - > upgrade merge >=1.2.1
[email protected] > [email protected] - <2.0.2, ~<3.0.2
[email protected] > [email protected] - > 0.11.2
[email protected] > [email protected] - > 4.17.12
Steps to reproduce it.
- build react application using create-react-app
- use OWASP Dependency Check maven/Jenkins plugin to scan project.
- see the report clicking on 'Dependency Check' link once project is built.
Here is snapshot of report.
This is our package.json
"dependencies": {
"@hv/uikit-react-core": "^3.5.1",
"@hv/uikit-react-icons": "^3.1.0",
"@hv/uikit-react-lab": "^3.0.7",
"@material-ui/core": "^4.11.2",
"@material-ui/lab": "^4.0.0-alpha.57",
"@testing-library/jest-dom": "^4.2.4",
"@testing-library/react": "^9.3.2",
"@testing-library/user-event": "^7.1.2",
"axios": "^0.21.1",
"core-js": "^3.8.1",
"dayjs": "1.8.26",
"easy-soap-request": "^4.1.1",
"node-sass": "^4.14.1",
"plotly.js-basic-dist": "^1.58.4",
"react": "^16.13.1",
"react-app-polyfill": "^1.0.6",
"react-cron-builder": "1.0.4",
"react-dom": "^16.13.1",
"react-google-charts": "3.0.15",
"react-idle-timer": "4.2.12",
"react-monaco-editor": "^0.36.0",
"react-redux": "^7.2.0",
"react-router-dom": "^5.1.2",
"react-scripts": "^4.0.1",
"redux": "^4.0.5",
"redux-saga": "^1.1.3",
"xml2js": "^0.4.23"
}
Please suggest a remediation for these issues.