Create-react-app: deep-extend dependency is a vulnerability

Created on 12 May 2018  路  2Comments  路  Source: facebook/create-react-app

Is this a bug report?

Yes, technically it's a vulnerability.

Did you try recovering your dependencies?

Yes.

Which terms did you search for in User Guide?

'deep-extend vulnerability', 'deep-extend, security', 'deep-extend'

Environment

Environment:
OS: Linux 4.13
Node: 8.9.4
Yarn: Not Found
npm: 6.0.1
Watchman: Not Found
Xcode: N/A
Android Studio: Not Found

Packages: (wanted => installed)
react: ^16.2.0 => 16.3.2
react-dom: ^16.2.0 => 16.3.2
react-scripts: 1.1.4 => 1.1.4

Steps to Reproduce

  1. install npm@6 and react-scripts
  2. run npm audit
  3. 4 low level vulnerabilities are displayed

Expected Behavior

Vulnerabilities shouldn't exist.

Actual Behavior

Vulnerabilities exist.

Reproducible Demo

Just install follow the steps above.

react-scripts-vulnerability

picture PrabhanshuAttri

Most helpful comment

This is a development dependency, so there's nothing to worry about here. We wont be making a release to fix this, but we'll be updating all of our packages soon in anticipation of 2.0 finalizing.

picture Timer on 13 May 2018
👍3

All 2 comments

I'll leave it here: https://github.com/webpack/webpack/issues/7255

isopen picture isopen on 13 May 2018

This is a development dependency, so there's nothing to worry about here. We wont be making a release to fix this, but we'll be updating all of our packages soon in anticipation of 2.0 finalizing.

Timer picture Timer on 13 May 2018
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dualcnhq picture dualcnhq  路  3Comments
JimmyLv picture JimmyLv  路  3Comments
onelson picture onelson  路  3Comments
alleroux picture alleroux  路  3Comments
adrice727 picture adrice727  路  3Comments