Create-react-app: Dependency on insecure version of braces (Node security advisory 786)
Is this a bug report?
Yes.
Did you try recovering your dependencies?
I don't think this step is necessary, due to the error being present in a brand new project.
Which terms did you search for in User Guide?
None.
Environment
Environment Info:
System:
OS: macOS 10.14.3
CPU: x64 Intel(R) Core(TM) i5-4278U CPU @ 2.60GHz
Binaries:
Node: 10.15.0 - /usr/local/opt/node@10/bin/node
Yarn: 1.13.0 - /usr/local/bin/yarn
npm: 6.4.1 - /usr/local/opt/node@10/bin/npm
Browsers:
Chrome: 72.0.3626.109
Firefox: 65.0
Safari: 12.0.3
npmPackages:
react: ^16.8.2 => 16.8.2
react-dom: ^16.8.2 => 16.8.2
react-scripts: 2.1.5 => 2.1.5
npmGlobalPackages:
create-react-app: Not Found
Steps to Reproduce
yarn create react-app my-appcd my-app/yarn audit
In addition, I've tried to add braces as a top-level dependency using yarn add braces. That didn't help.
Expected Behavior
Pass.
Actual Behavior
Fail:
β my-app git:(master) yarn audit
yarn audit v1.13.0
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β low β Regular Expression Denial of Service β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β braces β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=2.3.1 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β react-scripts β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β react-scripts > babel-jest > babel-plugin-istanbul > β
β β test-exclude > micromatch > braces β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://nodesecurity.io/advisories/786 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β¦
63 vulnerabilities found - Packages audited: 36332
Severity: 63 Low
β¨ Done in 3.12s.
Reproducible Demo
I don't think this is necessary, due to the required steps being very few.
yhoiseth
All 34 comments
This is a development only package and it should not affect your production build in anyway. It should go away once a newer version of a downstream package that addresses this issue is available.
bugzpodder
on 16 Feb 2019
Getting the same vulnerabilities from npm audit regarding braces.
The vulnerability is in versions earlier than 2.3.1 and it seems react-scripts has a nested dependency that uses an earlier version of braces
βββ¬ [email protected]
β βββ¬ [email protected]
β βββ [email protected]
βββ¬ [email protected]
βββ¬ [email protected]
β βββ¬ [email protected]
β βββ¬ [email protected]
β βββ¬ [email protected]
β βββ [email protected]
βββ¬ [email protected]
β βββ¬ [email protected]
β βββ [email protected] deduped
βββ¬ [email protected]
βββ¬ [email protected]
βββ¬ [email protected]
β βββ¬ [email protected]
β βββ [email protected]
βββ¬ [email protected]
β βββ¬ [email protected]
β βββ [email protected]
βββ¬ [email protected]
β βββ¬ [email protected]
β βββ [email protected]
βββ¬ [email protected]
β βββ¬ [email protected]
β βββ [email protected]
βββ¬ [email protected]
βββ [email protected]
More information on the issue is here.
Do we wait for react-scripts to update the dependency in question?
sbcreates
on 16 Feb 2019
Unless jest releases a new 23.x version with updated dependencies to micromatch@3 (unlikely since this is a breaking change), or CRA updates to jest 24, I don't think there is an easy workaround for this issue.
bugzpodder
on 17 Feb 2019
https://github.com/facebook/jest/issues/7917
As it stands right now, Jest is not planning on releasing a patch for v23.
sorahn
on 17 Feb 2019
See #6064 #6109 #5777 #5618 for earlier times something like this happened; I think it's useful to draw the connection between these recurring issues.
https://github.com/facebook/create-react-app/pull/6064#issuecomment-451521588 explains the reasoning behind this project's tradeoff between dependency pessimism (pinning, delayed upgrades, and enduser frustration) and dependency optimism (allow users to use npm audit fix to apply upgrades with ^ or ~, but remain exposed to the risk that a nested dependency might push a patch upgrade that contains a hidden bug) and give readers of this current issue a pointer to previous discussions and explanations.
I do see that in this case, Jest fixed the issue with a major version bump, not a patch, so even a SemVer "minors and patches OK" "babel-jest": "^23.6.0" wouldn't have helped this time; >=23.6.0 would but that's probably too optimistic (even for me :-) ).
This is a development only package and it should not affect your production build in anyway.
@bugzpodder That is a very confident prediction! Unfortunately, in fact, I can't push to production via my CI pipeline when my tests fail, and this problem causes react-scripts test to fail (since my React client directory is nested under a project root directory containing a NodeJS server, and the server's dependencies are unpinned, so the server got Jest 24.x smoothly via npm audit fix). We're not in active release mode right now, so I'm not personally affected by this particular glitch, but I'm confident there are others who are.
UPDATE: For my nested-node-project setup, I had to add SKIP_PREFLIGHT_CHECK=true to a .env file _in the child project dir_ to allow Jest 23.6.0 in the client to peacefully coexist with Jest 24.1.0 in the server.
ALSO: I know open source development can be a thankless task, so BIG THANKS to everyone who's working on all these interrelated projects and the tangled dependency webs they weave.
alexch
on 17 Feb 2019
FWIW we originally bumped Micromatch in a minor of Jest 23, but it broke a ton of setups (notably on windows), so we reverted it: https://github.com/facebook/jest/pull/6661
SimenB
on 17 Feb 2019
@alexch, your production build (i.e. running react-scripts build) will not be affected by this security vulnerability in any way. You'll get a notice about this low risk vulnerability if you run npm install, but otherwise an end user should not be affected by this issue. There is no need to rush upgrading to Jest 24.
bugzpodder
on 18 Feb 2019
This is causing issues with us being able to deploy our front-end through our CI also. Going to keep an eye out here for any movement. :)
Tasemu
on 18 Feb 2019
Nothing will happen here unless a patch is released for an old version of micromatch or a new major of CRA is released. Using a newer major of micromatch is a breaking change.
Seems like your CI should just check production dependencies, not dev deps. Doesn't seem like npm supports it, though π€·ββοΈ
https://npm.community/t/please-support-production-or-only-production-in-npm-audit/3005
https://github.com/npm/rfcs/pull/18
SimenB
on 18 Feb 2019
WORKAROUND
npm audit --registry=https://registry.npmjs.org --parseable | wc -l
returns the number of vulnerabilities found
you can exclude low vulnerabilities with
npm audit --registry=https://registry.npmjs.org --parseable | grep -V https://nodesecurity.io/advisories/786 | wc -l
aboutlo
on 18 Feb 2019
Instead of using a workaround (which ignores the advisory in all modules you installed) you can use https://www.npmjs.com/package/npm-audit-resolver that wraps audit in fine-grained tools to manage your security decision
naugtur
on 18 Feb 2019
@bugzpodder
This is a development only package and it should not affect your production build in anyway. It should go away once a newer version of a downstream package that addresses this issue is available.
I've seen messages like this a number of times for a variety of reported security vulnerabilities in various packages and it's not a particularly satisfying response for me but maybe I'm thinking about things the wrong way.
Is the expected flow:
- see reported security vulnerability in npm (or yarn).
- lookup that flow
- attempt to determine if the vulnerability will impact the product env or not
- if it's determined it won't, come up with some workaround that suppresses that message from the log
- if it's determined it will, post a bug
That flow seems really likely to allow something that wasn't expected to cause a production issue to end up causing one.
I had been operating under the expectation that the flow was:
- see reported security vulnerability
- immediately attempt to implement a fix - without worrying about whether or not it was expected to cause a prod issue.
- end of flow
Under that flow, we're less likely to let flaws creep into our projects but it means responses like "it only impacts dev" or "it's only a command-line thing" are insufficient.
Maybe the issue with with npm and yarn? Maybe they should have some sort of "dev only, prod and dev" flags or "mark as 'ok for me and don't tell me again'" like other vuln scanners have?
jdalegonzalez
on 18 Feb 2019
@bugzpodder If react-scripts build were my entire process for doing a production build, I would agree with you. But my process for development and deployment also includes running a suite of unit and acceptance tests; to make them work I need to disable preflight checks... which is fine temporarily, but that allows other dependency issues to creep in, and is also one more thing to remember to undo later.
@jdalegonzalez I think you're right that different teams/projects have different workflow expectations, and different levels of reliance on so-called "dev-only" packages, and that your latter flow ("apply fix ASAP") is much preferred over a flow that requires every project owner to deeply understand vulnerabilities and updates and workarounds and release schedules.
alexch
on 18 Feb 2019
@alexch you don't need to disable preflight checks if you install the same version of jest (23.6 instead of 24) in your node code. If you decide to use Jest 24, then disabling preflight checks is a perfectly valid course of action for your decision.
@jdalegonzalez this is unfortunately the difference between reality and an ideal world. Ideally you would run a command that would fix everything, but the reality is that APIs change between versions (especially majors), we have deeply nested dependencies, and most open source projects don't have the resources to back port each fix to older versions. All of your npm modules have various version dependencies (eg Jest 23 uses micromatch 2 but eslint might use micromatch 3 at the same time) so you can't always have the latest packages for every nested dependency. So yes, it needs to be on a case-by-case basis. If you are on a team then one person should be the POC for security related issues. If you aren't sure about a particular vulnerability assessment, issues are one of the perfectly valid ways of asking for help.
bugzpodder
on 18 Feb 2019
Handlebars just joined the party with a High priority vulnerability too
ztolley
on 18 Feb 2019
Yep. That's why we pulled it out. We can live without test coverage
reporting
On Mon, Feb 18, 2019, 4:15 PM Zac Tolley <[email protected] wrote:
Handlebars just joined the party with a High priority vulnerability too
β
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/facebook/create-react-app/issues/6443#issuecomment-464881530,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABZ6hKAredtyt7L_aQCyipooTEOkJDXSks5vOxf3gaJpZM4a_CiD
.
jdalegonzalez
on 19 Feb 2019
Any ideas for suppressing this on yarn audit? Our CI is currently blocked even though jest is a dev dependency.
Looks like yarn doesn't allow for auditing production-only dependencies.
dlipeles
on 19 Feb 2019
I don't really understand why, but it seems like this is related to my perfect-scrollbar being on the left of my page instead of the right - I'm getting identical vulnerabilities after running npm audit, but everything else is working fine.
Edit: running Material Dashboard Pro
emilymclean2
on 19 Feb 2019
@dlipeles why would this block a CI? Is it because of the preflight check or do you have a build step that hinges on yarn audit succeeding? In any case, if you are yarn, you could use yarn resolutions to pin micromatch to v3 but it might break something, YMMV.
bugzpodder
on 19 Feb 2019
NPM Audit is part of CI pipeline and due to this issue it is failing every time I pushed the code.
Why this issue started to occurred, I have not updated any package?
jitenderchand1
on 19 Feb 2019
Is it possible to change your CI pipeline to omit npm audit step? From my experience it takes a non-trivial amount of time to test/deploy/propagate a security fix. In most cases, when a security advisory is posted, either it doesn't affect your production build (such as this case), or that it is a real issue. In the latter case, either a fix might not be immediately available/feasible, or there could be workarounds that might mitigate risk while keeping the package as-is, and blocking all builds until the package is updated might not be the best course of action.
EDIT: This comment isn't meant as a call to ignore security warnings. npm audit has its place and it should be done as part of security audit for your application. It should be monitored and dealt on a case by case basis. IMO it doesn't belong in a CI pipeline for the reasons mentioned above.
bugzpodder
on 19 Feb 2019
Is it possible to change your CI pipeline to omit npm audit step? From my experience it takes a non-trivial amount of time to test/deploy/propagate a security fix.
@bugzpodder With all due respect, this feels like bad advice to me. While I recognize that right this minute we're in a bit of a pickle as it relates to NPM audit, the idea that we all should ignore security warnings because most of the time they don't impact our app feels a little careless. Almost all high-profile breaches I've ever seen reported start with someone thinking it wasn't a high-priority to patch some previously reported vulnerability. A very low percentage of hacks are exploiting zero-day/unreported vulnerabilities. Within the last six months, there were packages on npm that had the ability to steal cryptocurrency - no impact to the "app" itself, it just made the app a conduit for theft.
If you feel like "for right now" removing the audit from the CI pipeline is necessary while solutions are explored - I would at least sympathize and maybe agree. If you're advocating (like some are) that the standard npm audit be wrapped in some script that filters out those warnings deemed as acceptable risk (again until npm fixes their audit system to support this natively), I would agree too.
Making the blanket suggestion that people stop depending on npm audit as a part of CI altogether because "in most cases" security advisories don't impact "most" production apps feels like a bridge too far.
(of course, that's just my opinion. I could be wrong)
jdalegonzalez
on 19 Feb 2019
@jitenderchand1
Why this issue started to occurred, I have not updated any package?
The vulnerability was discovered in an existing package.
sorahn
on 19 Feb 2019
A vulnerability was discovered and reported in a package that one of your packages ultimately depends on.Β You didnβt need to update anything.Β The vulnerability report is what is new.
From: Daryl Roberts notifications@github.com
Reply-To: facebook/create-react-app reply@reply.github.com
Date: Tuesday, February 19, 2019 at 8:40 AM
To: facebook/create-react-app create-react-app@noreply.github.com
Cc: jdalegonzalez dale.gonzalez@gmail.com, Mention mention@noreply.github.com
Subject: Re: [facebook/create-react-app] Dependency on insecure version of braces (Node security advisory 786) (#6443)
@jitenderchand1
Why this issue started to occurred, I have not updated any package?
The vulnerability was discovered in an existing package.
β
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
jdalegonzalez
on 19 Feb 2019
Let's focus on the issue here. This is not the place to debate the merits of npm audit or how your CI should be set up.
Since Jest isn't planning to backport this fix to Jest 23 the only thing we can do is release a major version of Create React App with Jest 24. We are currently working on that and you can follow the progress on upgrading to Jest 24 here: https://github.com/facebook/create-react-app/pull/6278
iansu
on 19 Feb 2019
Potentially, you can get a patch into braces/micromatch (although it's v2, with v3 being current major and v4 right around the corner).
Note that upgrading from micromatch 2 to 3 is a breaking change in and of itself, so there's really no way Jest can backport a fix to v23
SimenB
on 19 Feb 2019
any updates ??
Waseemrajashaik
on 25 Feb 2019
@Waseemrajashaik Based on @iansu's comment above, I think #6278 is relevant to your question.
yhoiseth
on 25 Feb 2019
Let's focus on the issue here. This is not the place to debate the merits of
npm auditor how your CI should be set up.
Agreed. I shared my view on the merits of npm audit in the npm forum. I hope I represented the technical aspects correctly.
godmar
on 1 Mar 2019
even thought installed latest CRA it still gives. Any updates?
ghost
on 13 Mar 2019
We haven't yet upgraded to Jest 24 which includes the fix but it is in progress. This will be part of the 3.0 release.
ianschmitz
on 13 Mar 2019
FWIW, I went through my node_modules folder and searched out each instance of micromatch. I opened the respective folders and the package.json in each and manually changed the braces dependency version to 2.3.2. Jest was not the only culprit; after updating their package.json files I also had to update this in about 8 other packages edit nested inside Jest; so I guess you could say it's all Jest. They were all on 2.3.1, except one that was 1.8.5.
I did npm install to re-scan and install per the new package.jsons.
This resolved the warning (as the fix is >2.3.1) and CRA works fine.
Here's my npm tree now:
edit - I'm parsing this down. My npm tree was frickin huge. Hopefully this makes it easier for others to do the same, instead of digging folder by folder.
+-- [email protected]
| ...
| +-- [email protected]
| | ...
| | +-- [email protected]
| | +-- [email protected]
| | | +-- [email protected]
| | | `-- [email protected]
| | | ...
| | | +-- [email protected]
| | | | ...
| | | | +-- [email protected]
| | | | ...
| | +-- [email protected]
| | | ...
| | | +-- [email protected]
...
| | +-- [email protected]
| | | ...
| | | +-- [email protected]
| | | | ...
| | | | +-- [email protected]
| | | | | ...
| | +-- [email protected]
| | | ...
| | | +-- [email protected]
| | | | +-- [email protected]
| | | | `-- [email protected]
| | | | +-- [email protected]
| | | | | ...
| | +-- [email protected]
| | | ...
| | | +-- [email protected]
| | | |...
| +-- [email protected]
| | ...
| | +-- [email protected]
| | | +...
| | | | ...
| | | +-- [email protected]
...
| | | +-- [email protected]
| | | | +-- [email protected] deduped
| | | | +-- [email protected]
| | | | | ...
| | | | | +-- [email protected]
| | | | | |...
| | +-- [email protected]
| | |...
| | | +-- [email protected] deduped
| | | `-- [email protected]
| | | ...
| | | +-- [email protected]
| | | ...
`-- [email protected]
methodbox
on 30 Mar 2019
Hmm ok so what would be the fastest way to continue working on my old project right now if npm audit fails, barring completely ignoring the issue by installing with --no-audit?
marcinwasilewski
on 31 Mar 2019
For those that need this resolved immediately you can try out our alpha build by following the instructions over at #6475. Closing this for now as it should be resolved and will be part of the 3.0 release.
ianschmitz
on 31 Mar 2019
Related issues
dualcnhq
Β·
3Comments
alleroux
Β·
3Comments
ap13p
Β·
3Comments
AlexeyRyashencev
Β·
3Comments
DaveLindberg
Β·
3Comments
Most helpful comment
Let's focus on the issue here. This is not the place to debate the merits of
npm auditor how your CI should be set up.Since Jest isn't planning to backport this fix to Jest 23 the only thing we can do is release a major version of Create React App with Jest 24. We are currently working on that and you can follow the progress on upgrading to Jest 24 here: https://github.com/facebook/create-react-app/pull/6278