Vulnerability Issues with nth-check in react-scripts Dependencies

[niryaf]

Environment:

• Operating System: Windows 11
• IDE: Visual Studio Code
• Node.js version: v18.17.1
• npm version: 10.1.0

Description:
I am encountering a persistent vulnerability issue with react-scripts related to the nth-check package. Despite making multiple attempts to update the dependencies manually and exploring various resolutions, the vulnerability warning remains.

NPM Audit Output:
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@2.1.3, which is a breaking change
node_modules/react-scripts/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/react-scripts/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/react-scripts/node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/react-scripts/node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/react-scripts/node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts

Steps to Reproduce:

1. Updated to the latest version of react-scripts.
2. Ran npm audit, revealing the vulnerability issue related to nth-check.
3. Attempted to manually update dependencies and force resolutions.
4. Checked again with npm audit, but the vulnerability warning persisted.

Expected Behavior:
The dependencies, especially nth-check, should be up-to-date, ensuring no vulnerabilities when executing npm audit.

Additional Context:
I made attempts to resolve this by updating individual packages and also using the npm-force-resolutions package. Unfortunately, the vulnerability continues to persist.

Seeking guidance or a potential fix for this vulnerability. Thank you for your assistance!

[OlivierMartineau]

See this comment, it's important.
#13062 (comment)

If you consider migrating, check this article:
https://cathalmacdonnacha.com/migrating-from-create-react-app-cra-to-vite

If you really need to fix this warning, you can declare in your dependencies

"dependencies": {
    "nth-check": "^2.1.1"
}

and at the end of your package.json

"overrides": {
    "nth-check": "$nth-check"
}

[palyvodaBoi]

It doesn't work for me :(
Seems like it's time to migrate to Vite

[Senior-Ori]

It doesn't work for me :( Seems like it's time to migrate to Vite

i added this:

  "dependencies": {
    "react-scripts": "^5.0.1",
    "web-vitals": "^2.1.4",
    "nth-check": "^2.1.1"
  },
  "overrides": {
    "nth-check": "^2.1.1",
    "postcss":"^8.4.38"
  }

and after that i have entered npm update, hope it helped you :)

[tariv2012]

It doesn't work for me :( Seems like it's time to migrate to Vite

i added this:

  "dependencies": {
    "react-scripts": "^5.0.1",
    "web-vitals": "^2.1.4",
    "nth-check": "^2.1.1"
  },
  "overrides": {
    "nth-check": "^2.1.1",
    "postcss":"^8.4.38"
  }

and after that i have entered npm update, hope it helped you :)

Thanks for this info, helps me to remove Snyk scanning issue on the nth-check

[tuanhuynh77]

Maybe, the problem may be due to the lack of permission to using new version, so re-installation libs and requires overwrite of the existing version (registed in dependencies list)

#npm i postcss
#npm i nth-check

and, add the code to end of package.json file:
"overrides": {
"nth-check": "$nth-check",
"postcss": "$postcss"
}

Thats help for me, after update node to v22.3.0 and, react-scripts: 5.0.1

[kenshanta]

The moment i decided to uninstall react-scripts is when i finally resolved the vulnerability issues I've been getting from git (npm audit fix didnt do the job btw)

[user☮kenshantas-macbook-pro.home]-(~/Projects/sleek-company-portfolio)-[git://main ✔]-
└> npm install vite @vitejs/plugin-react --save-dev

added 9 packages, and audited 1688 packages in 8s

264 packages are looking for funding
  run `npm fund` for details

8 vulnerabilities (2 moderate, 6 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
┌[user☮kenshantas-macbook-pro.home]-(~/Projects/sleek-company-portfolio)-[git://main ✗]-
└> npm uninstall react-scripts

removed 1292 packages, and audited 396 packages in 3s

58 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

We should close this issue as there hasnt been any updates over the past 2 years.
The project is abandoned :/

[ENAwareness]

It doesn't work for me :( Seems like it's time to migrate to Vite

i added this:

  "dependencies": {
    "react-scripts": "^5.0.1",
    "web-vitals": "^2.1.4",
    "nth-check": "^2.1.1"
  },
  "overrides": {
    "nth-check": "^2.1.1",
    "postcss":"^8.4.38"
  }

and after that i have entered npm update, hope it helped you :)

Thanks for this info, helps me to remove Snyk scanning issue on the nth-check

Thanks a ton for fixing that!

[iAlessDev]

Maybe, the problem may be due to the lack of permission to using new version, so re-installation libs and requires overwrite of the existing version (registed in dependencies list)

#npm i postcss #npm i nth-check

and, add the code to end of package.json file: "overrides": { "nth-check": "$nth-check", "postcss": "$postcss" }

Thats help for me, after update node to v22.3.0 and, react-scripts: 5.0.1

It helps me a lot! thank you so mucho for that