react-scripts 5.0.1 having vulnerable transitive libraries

[aish110]

We are using react-scripts 5.0.1 library, and facing some security vulnerabilities in its dependent packages.

1. nth-check v1.0.2 - vulnerable to Inefficient Regular Expression Complexity
2. loader-utils v2.0.2 - A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js
3. minimatch v3.0.4 - A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

These packages if upgraded to the below versions will fix the vulnerabilities:
nth-check v2.0.1
minimatch v3.0.5

Please upgrade react-scripts with transitive dependencies security patches.

[wozzo]

PR #12172 should resolve all of those, but no work has been done on this repo since September from the looks of it.

[mark-wiemer]

See #11174, this is a non-issue

[ethhandy]

No update on this yet? I am having the same issue.

Node version: v14.18.3
Npm version: 6.14.15