Vulnerability in react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > css-select > nth-check & css-what

[im-deepakk]

Describe the bug

Upgrade react-scripts to have the @@svgr/webpack@6.* as the dependency. As the current @svgr/webpack@5.5.0 has following vulnerable versions as dependency.

nth-check - https://security.snyk.io/vuln/SNYK-JS-NTHCHECK-1586032
css-what - https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-1298035

Below is the dependency tree:

+-- react-scripts@5.0.0
├─┬ @svgr/webpack@5.5.0
│ └─┬ @svgr/plugin-svgo@5.5.0
│ └─┬ svgo@1.3.2
│ └─┬ css-select@2.1.0
│ └── nth-check@1.0.2
└──css-what@3.4.2

Environment

Environment Info:
current version of create-react-app: 5.0.0
System:
OS: Windows 7 6.1.7601
CPU: (8) x64 Intel(R) Xeon(R) CPU E3-1585L v5 @ 3.00GHz
Binaries:
Node: 14.17.6 - ...\tools\nodejs14-win7\latest\node.EXE
Yarn: Not Found
npm: 8.2.0 - ...\data\npm14\npm.CMD
Browsers:
Chrome: 97.0.4692.71
Internet Explorer: 11.0.9600.20139

Steps to reproduce

npx create-react-app

Expected behavior

The react-scripts should not be having any dependency on vulnerable components.

Actual behavior

The dependent package @svgr/webpack 5.5.0 refers to vulnerable components, as per the author the v6 has the fix for the same.

[Vishal-Mayal]

Hi, any updates on when the package will be updated?
Thank you.

[PraveenkumarD2004]

Hi, I am also facing the same issue. When I upgrading react-scripts to 5.0.0 version. While npm audit I am getting the same Vulnerability Error.

Error:
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts

FYI, Upgrade react-scripts to have the @@svgr/webpack@6. as the dependency. As the current @svgr/webpack@5.5.0 has following vulnerable versions as dependency.

Thanks & Regards,
Praveen Kumar D.

[palminha]

same here...

% npm audit
# npm audit report

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 moderate severity vulnerabilities

I'm using react-scripts 5.0.0

% npm list react-scripts
nextjs-with-typescript@5.0.0 /Users/palmito/Development/risk-util-tool/webapp
└── react-scripts@5.0.0

[palminha]

the vulnerable dependency is dependent of css-select@2.1.0

% npm list nth-check
create-react-app@ /Users/palmito/Development/create-react-app
├─┬ cra-docs@ -> ./docusaurus/website
│ └─┬ @docusaurus/core@2.0.0-beta.14
│   └─┬ @slorber/static-site-generator-webpack-plugin@4.0.1
│     └─┬ cheerio@0.22.0
│       └─┬ css-select@1.2.0
│         └── nth-check@1.0.2
├─┬ react-scripts@5.0.0 -> ./packages/react-scripts
│ └─┬ html-webpack-plugin@5.5.0
│   └─┬ pretty-error@4.0.0
│     └─┬ renderkid@3.0.0
│       └─┬ css-select@4.1.3
│         └── nth-check@2.0.1
└─┬ svg-term-cli@2.1.1
  └─┬ svgo@1.3.2
    └─┬ css-select@2.1.0
      └── nth-check@1.0.2

[palminha]

The vulnerable dependency is caused by svg-term-cli
project seems to be abandoned for a couple of years (a lot of dependabot pull-requests getting rotten...)

[palminha]

@marionebl any feedback on svg-term-cli ?

[slowWriting]

Have you guys read this stickied issue?
#11174

[palminha]

moving the dependency to dev makes the vulnerability only dependent of svgr/webpack

% npm list nth-check
nextjs-with-typescript@5.0.0 /Users/palmito/Development/risk-util-tool/webapp
└─┬ react-scripts@5.0.0
  ├─┬ @svgr/webpack@5.5.0
  │ └─┬ @svgr/plugin-svgo@5.5.0
  │   └─┬ svgo@1.3.2
  │     └─┬ css-select@2.1.0
  │       └── nth-check@1.0.2
  └─┬ html-webpack-plugin@5.5.0
    └─┬ pretty-error@4.0.0
      └─┬ renderkid@3.0.0
        └─┬ css-select@4.2.1
          └── nth-check@2.0.1

followed-up here #12146

[PraveenkumarD2004]

Hi, any updates on when the package will be updated?
Thanks & Regards,
Praveen Kumar D.

[Stunext]

Read this: #11174 ...then wait, there are more important things than fixing false positives. It will be fixed at the next scheduled update or when a critical bug appears.

[Mekebrown]

Read this: #11174 ...then wait, there are more important things than fixing false positives. It will be fixed at the next scheduled update or when a critical bug appears.

Fair enough