Create-react-app: Yarn audit fails because of handlebars vulnerability

Created on 15 Nov 2019  路  4Comments  路  Source: facebook/create-react-app

Describe the bug

After running npx create-react-app <app_name>
Yarn audit fails because of handlebars vulnerability (which has been already fixed).
Path: react-scripts > jest > jest-cli > @jest/core > @jest/reporters > istanbul-reports > handlebars

Did you try recovering your dependencies?

Yes

Which terms did you search for in User Guide?

I've searched for the audit issues

Environment

System:
OS: Linux 5.0 Ubuntu 18.04.3 LTS (Bionic Beaver)
CPU: (8) x64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
Binaries:
Node: 10.17.0 - ~/.nvm/versions/node/v10.17.0/bin/node
(also reproduced on Node: 12.13.0)
Yarn: 1.19.1 - /usr/bin/yarn
npm: 6.11.3 - ~/.nvm/versions/node/v10.17.0/bin/npm
Browsers:
Chrome: 78.0.3904.87
Firefox: 70.0.1
npmPackages:
react: ^16.12.0 => 16.12.0
react-dom: ^16.12.0 => 16.12.0
react-scripts: 3.2.0 => 3.2.0
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

  1. Run npx create-react-app <app_name>
  2. cd <app_name>
  3. yarn audit

Expected behavior

yarn audit should show no vulnerabilities

Actual behavior

Vulnerabilities were found.
image

bug report needs triage
Source
picture SmolinPavel
👍6

Most helpful comment

@heyimalex it's likely because of https://github.com/facebook/create-react-app/blob/6a743427117bd623f35e1a9979b411182ddd6e55/packages/create-react-app/yarn.lock.cached

For those experiencing, please delete your yarn.lock and node_modules and install again to fix this issue. We will be releasing 3.3 soon hopefully which includes an updated yarn.lock.cached which will fix the issue after a new app creation.

picture ianschmitz on 16 Nov 2019
👍2

All 4 comments

Managed to fix this by adding a resolution for handlebars in package.json. Hopefully it will be fixed in the dependencies of upstream packages soon.

...
  "devDependencies": {
    ...
  },
  "resolutions": {
    "handlebars": "~4.5.2"
  },
...
livmackintosh picture livmackintosh on 15 Nov 2019
👍1

@livmackintosh thanks for the temporary fix, works fine for me!
But I would love to wait till it is resolved out of the box 馃榾

SmolinPavel picture SmolinPavel on 15 Nov 2019

Huh, [email protected] depends on handlebars@^4.1.2 in its package.json, which the fixed version satisfies, but yarn is installing 4.4.2. When I use the --use-npm flag I don't get any vulnerabilities.

heyimalex picture heyimalex on 15 Nov 2019

@heyimalex it's likely because of https://github.com/facebook/create-react-app/blob/6a743427117bd623f35e1a9979b411182ddd6e55/packages/create-react-app/yarn.lock.cached

For those experiencing, please delete your yarn.lock and node_modules and install again to fix this issue. We will be releasing 3.3 soon hopefully which includes an updated yarn.lock.cached which will fix the issue after a new app creation.

ianschmitz picture ianschmitz on 16 Nov 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

fson picture fson  路  3Comments
fson picture fson  路  3Comments
wereHamster picture wereHamster  路  3Comments
oltsa picture oltsa  路  3Comments
alleroux picture alleroux  路  3Comments