Create-react-app: Missing Origin Validation in [email protected]
Is this a bug report?
Yes, NPM reports 1 high severity vulnerability when running npx create-react-app my-app. Not sure why I can't find a bug report already about this issue. Sorry if it has already been reported.
According to npm audit, the webpack-dev-server dependency has to be upgraded to >=3.1.11.
Environment
npx create-react-app --info
npx: installed 63 in 2.22s
Environment Info:
System:
OS: macOS High Sierra 10.13.6
CPU: x64 Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz
Binaries:
Node: 10.11.0 - /usr/local/bin/node
npm: 6.5.0 - ~/Sites/theregulars/theregulars-reviews/node_modules/.bin/npm
Browsers:
Chrome: 71.0.3578.98
Firefox: 64.0
Safari: 12.0.2
npmPackages:
react: ^16.6.3 => 16.6.3
react-dom: ^16.6.3 => 16.6.3
react-scripts: ^2.1.2 => 2.1.2
npmGlobalPackages:
create-react-app: Not Found
Steps to Reproduce
npx create-react-app my-app
cd my-appβΈ¨β β β β β β β β β β β β β β β β β β βΈ© β § rollbackFailedOptional: verb npm-session 2bed87enpx: installed 63 in 4.162s
Creating a new React app in /Users/sunknudsen/tmp/my-app.
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...
> [email protected] install /Users/sunknudsen/tmp/my-app/node_modules/fsevents
> node install
[fsevents] Success: "/Users/sunknudsen/tmp/my-app/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node" already installed
Pass --update-binary to reinstall or --build-from-source to recompile
+ [email protected]
+ [email protected]
+ [email protected]
added 1794 packages from 684 contributors and audited 35709 packages in 47.487s
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Initialized a git repository.
Success! Created my-app at /Users/sunknudsen/tmp/my-app
Inside that directory, you can run several commands:
npm start
Starts the development server.
npm run build
Bundles the app into static files for production.
npm test
Starts the test runner.
npm run eject
Removes this tool and copies build dependencies, configuration files
and scripts into the app directory. If you do this, you canβt go back!
We suggest that you begin by typing:
cd my-app
npm start
Happy hacking!
npm audit
=== npm audit security report ===
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Manual Review β
β Some vulnerabilities require your attention to resolve β
β β
β Visit https://go.npm.me/audit-guide for additional guidance β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β High β Missing Origin Validation β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β webpack-dev-server β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=3.1.11 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β react-scripts β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β react-scripts > webpack-dev-server β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://nodesecurity.io/advisories/725 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
found 1 high severity vulnerability in 35709 scanned packages
1 vulnerability requires manual review. See the full report for details.
sunknudsen
All 29 comments
We should bump #6064 and get it in
ianschmitz
on 1 Jan 2019
6064 is in now. I'll see if we can get a patch release out ASAP.
ianschmitz
on 2 Jan 2019
I am also having this issue and I've looked everywhere. Npm update does not do anything, unless I am entering the command wrong ' npm update webpack-dev-server@latest' ? I'm fairly new to dev so forgive the lack of knowledge. I await the fix. Thank you!
Also: I've checked the version of the package and it says its at 3.1.14 which is the latest, however in the package-lock.json is at 3.1.9.
KahtiD
on 2 Jan 2019
can you try using @KahtiD
npm install --dev webpack-dev-server@latest
instead, that should install the latest version of the package
jrishabh55
on 2 Jan 2019
can you try using @KahtiD
npm install --dev webpack-dev-server@latest
instead, that should install the latest version of the package
Thanks for the reply! I tried this I just have the vulnerability twice now as its also in package.json. :( Quite a frustrating vulnerability. I've edited my original comment with more information also.
KahtiD
on 2 Jan 2019
ah, my bad you can specify the version, in that case you need this
npm install --dev [email protected]
@KahtiD
jrishabh55
on 2 Jan 2019
Same issue here. Can't fix with "npm audit fix" or upgrading to @latest.
blackforestcode
on 2 Jan 2019
Same issue here. Can't fix with "npm audit fix" or upgrading to @latest.
nor me
Showcase-Joz
on 2 Jan 2019
Updating webpack-dev-server doesn't work because there's a typo in the audit repository π https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4
cmwd
on 2 Jan 2019
Same issue here. Can't fix with "npm audit fix" or upgrading to @latest.
Same here :(
VerifiedMarfat
on 2 Jan 2019
npm update won't work because [email protected] is a dependency of react-scripts.
jamie29w
on 2 Jan 2019
i published a fork with the patch from https://github.com/facebook/create-react-app/pull/6064. we run audit in CI so was failing our builds. if anybody else wants to use it until the next react-scripts version, it's here: @jomaxx/[email protected]
jomaxx
on 2 Jan 2019
I've been away from my project for the day. This is the most frustrating bug lol. Has anyone had a fix yet? I've done all the above and despite the typo being corrected I still get the vulnerability message after npm audit
KahtiD
on 2 Jan 2019
@jamie29w
Is there away to update to 3.1.14 for webpack-dev-server in react-scripts or is it supposed to be at 3.1.9 as it is now, although checking the version returns 3.1.14, confusingly enough.
KahtiD
on 2 Jan 2019
Just gave a nudge to @gaearon. Hoping to get a patch out soon. Sorry for the delay!
ianschmitz
on 3 Jan 2019
Any update on this?
@ianschmitz @gaearon
mjziolko
on 4 Jan 2019
Waiting...
sreeram315
on 4 Jan 2019
Can we have some feedback about the release date of this patch. We deactivated the audit step from our build so as to not block everyone.
I know that I can use resolution so as to force the version of the webpack-dev-server but I just do not want to do some workarround on something that it is going to be release soon.
So my main question is about When this patch is going to be released?
Thanks a lot
dbenchi
on 4 Jan 2019
I haven't been able to get a hold of @gaearon. @timer said he will have access to a computer again later today and will release the patch tonight.
ianschmitz
on 4 Jan 2019
For future reference β my GH notifications are always hosed so please don't count on me seeing a @ mention on some GH thread. Pinging me via mention on Twitter is usually a more sure way to get me to see something. Iβm sorry I missed this.
gaearon
on 4 Jan 2019
gaearon
on 4 Jan 2019
I gave @ianschmitz publish rights and heβs working on putting out a release.
gaearon
on 4 Jan 2019
v2.1.3 is available. Please let me know if you have any more issues!
ianschmitz
on 4 Jan 2019
Running npm audit fix now fixes the vulnerability. Thanks @ianschmitz!
sunknudsen
on 4 Jan 2019
Still facing the same issue -
SafiaNuzhath
on 7 Jan 2019
@SafiaNuzhath it looks like you are using Angular, this is the React repository. I would recommend you to leave a comment in the Angular thread related to the security issue.
byCedric
on 7 Jan 2019
I am still having the same problem. I get the error
The react-scripts package provided by Create React App requires a dependency:
"webpack-dev-server": "3.1.14"
However, a different version of webpack-dev-server was detected higher up in the tree:
C:\Users\virus\node_moduleswebpack-dev-server (version: 3.1.9)
I tried npm audit fix. Deleting modules then updated json file to "webpack-dev-server": "3.1.14" then npm install. Still not working any ideas?
npm 6.5.0
RainbowRambo
on 7 Jan 2019
the problem is solved thanks a lot
dbenchi
on 7 Jan 2019
issue solved thank you guys
Ulisses85
on 7 Jan 2019
Related issues
alleroux
Β·
3Comments
oltsa
Β·
3Comments
xgqfrms-GitHub
Β·
3Comments
fson
Β·
3Comments
alleroux
Β·
3Comments
Most helpful comment
Just gave a nudge to @gaearon. Hoping to get a patch out soon. Sorry for the delay!