High severity vulnerability detected by audit in react-scripts 3.4.2 dependencies

[FredChauviere]

Edit from maintainers: this is a false positive.

See #9469 (comment).

Describe the bug

After installing last version (3.4.2) of react-scripts, I got a high severity vulnerability (Remote Code Execution) from serialize-javascript (2.1.2) from terser-webpack-plugin (2.3.5), that is a dependency of react-scripts (3.4.2)

Did you try recovering your dependencies?

Yes
npm --version
6.14.7

Which terms did you search for in User Guide?

NA

Environment

Environment Info:

current version of create-react-app: 3.4.1
running from C:\Users\fcha\AppData\Roaming\npm-cache_npx\16340\node_modules\create-react-app

System:
OS: Windows 10 10.0.18363
CPU: (8) x64 Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz
Binaries:
Node: 11.10.0 - C:\Program Files\nodejs\node.EXE
Yarn: Not Found
npm: 6.14.7 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: 44.18362.449.0
Internet Explorer: 11.0.18362.1
npmPackages:
react: ^16.13.1 => 16.13.1
react-dom: ^16.13.1 => 16.13.1 (15.6.1)
react-scripts: ^3.4.2 => 3.4.2
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

NA

Expected behavior

No vulnerabilities detected by audit

Actual behavior

High severity vulnerabilities detected by audit

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance           

High Remote Code Execution

Package serialize-javascript

Patched in >=3.1.0

Dependency of react-scripts

Path react-scripts > terser-webpack-plugin > serialize-javascript

More info https://npmjs.com/advisories/1548

found 1 high severity vulnerability in 2114 scanned packages
1 vulnerability requires manual review. See the full report for details.

Reproducible demo

NA

[charkour]

I am experiencing the same high severity vulnerability. Does anyone have suggestions on the best way to solve this issue? I do not have much experience with manually fixing npm vulnerabilities. Thanks

[knivesschau]

I am experiencing the same issue as well, tried manually installing the latest versions of packages serialize-javascript and terser-webpack-plugin as a fix, but still running into the same high vulnerability notification on audit.

npm version is 6.14.5

[Pilipo]

I am experiencing the same issue.

npm --version
6.14.7

react-scripts: 3.4.2

[netanelmaroof]

Experiencing the same vulnerability - running npm version 6.14.7

[hoffmang9]

Such things always seem to happen on the day of a release. Us too...

[thien-do]

I believe the best way to solve this is for react-scripts to upgrade its terser-webpack-plugin to version 3 or 4 (both use a version of serialize-javascript that is free from this issue)

@charkour A temporary workaround (if you need to get pass your CI or something) is to manually override the version of either terser-webpack-plugin or serialize-javascript. At the moment I don't know if there is any compatible issue that could happen but at least the changlog can be found here

@knivesschau Manually install wouldn't work because (under npm's view) react-scripts still require the other version, thus both versions will exist. What should be done is to override the version inside react-scripts' dependencies (in package-lock, for example)

[knivesschau]

@dvkndn D'oh! Of course. Thank you! I will give that a try and see if it resolves the issue.

[knivesschau]

@dvkndn Thanks again! Overriding the version manually in package-lock worked for me.

[ondrejsudoma]

Please let me know if you find out solution!

I tried updating manually serialize-javascript to 4.0.0 which didn't help (which now I understand why). Waiting for real solution.

[jcamato]

Getting the same vulnerability here

[tdowgielewicz]

This is what has help in my CI.

WARNNING!
Please note that this really overrides your every version of serialize-javascript to 3.1.0 so you may want to see what else you will brake.

Before force resolutions

npm ls serialize-javascript 

npm install npm-force-resolutions

In package.json add resolutions to root object

"name": xxx,
"dependencies": {...},
...
"resolutions": {
    "serialize-javascript": "3.1.0"
  },

then run npm-force-resolutions
npx npm-force-resolutions

packages should now install with fixed version

npm install
...
found 0 vulnerabilities

[Pieter-Uys]

@tdowgielewicz I think you should put this on the top of your post

WARNNING!
Please note that this really overrides your every version of serialize-javascript to 3.1.0 so you may want to see what else you will brake.

Before force resolutions

npm ls serialize-javascript