Create-react-app: Snyk reports high risk severity for acorn in react-scripts

I also have the same issue

As do I! Feeling less lonely now

I also have this issue.
npm audit throws that the acorn vuln is patched in version >=7.1.1. I don't know if installing directly the acorn module to the latest version with npm install acorn@latest will solve it. Gonna give it a try and share my results.

@SirMauri any results?

Setting resolutions in package.json is the better approach if using yarn as you don’t explicitly set a dependency on acorn in your project.

@bpedersen thanks for the recommendation, this clears the warnings in yarn audit.

  "resolutions": {
    "acorn": "^7.1.1"
  },

Adding the resolution worked. I came across this issue while working on a very small project using create-react-app. I'm pretty new to coding but I couldn't find a way to address this with npm. I just switched over to yarn but I'm still curious, what can be done about this in projects set up with node package manager?

@dusty @bpedersen @BMD-518

It may remove the warning to manually set the resolution, but does it affect anything in the Create React App in any way? Like, any functionality?

I haven't noticed any build issues with the patched acorn.

@dusty
And no visible bugs in any React apps?

Are there fix for this ?

Any fix for npm? I've found 17 moderate severity vulnerabilities related to react-scripts using acorn.

This needs to be fixed asap because it affect developers using create-react-app.

resolution worked for me

Running npm, I was able to fix it temporarily by
adding to package.json scripts:
"preinstall": "npx npm-force-resolutions",

and adding to package.json
"resolutions": { "acorn": "^7.1.1" }

waiting for react-scripts update though.

Running npm, I was able to fix it temporarily by
adding to package.json scripts:
"preinstall": "npx npm-force-resolutions",

and adding to package.json
"resolutions": { "acorn": "^7.1.1" }

waiting for react-scripts update though.

For others attempting this fix, please be mindful of your other dependencies that uses acorn.
Tried this solution and sadly 7.1.1 broke some of my other modules.

shrugs, guess I'll have to wait on actual fixes.

Solved it temporary by using npm-audit-resolver

Any updates ?

 "resolutions": {
    "acorn": "^7.1.1"
  },

did not work for me.

any updates on the fix?

same here :

Moderate Regular Expression Denial of Service
Package acorn
Patched in >=6.4.1 <7.0.0 || >=7.1.1
Dependency of react-scripts
Path react-scripts > jest > jest-cli > jest-config >
jest-environment-jsdom > jsdom > acorn
More info https://npmjs.com/advisories/1488

any updates ?

Same here,
I tried to use the work around with the version 7.1.1, but "broke" my app, so I tried use 6.4.1 and worked it for me.
But still a work around...

"scripts": {
    "preinstall": "npx npm-force-resolutions",
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject",
    "lint-quiet": "eslint . --quiet",
    "start-prod": "node app.js"
  },
  "resolutions": {
    "acorn": "^6.4.1"
  }

any updates ?

https://github.com/facebook/jest/issues/9643

Update to jest v25.1.0 required in order to fix that vulnerability. It has some breaking changes, so I don't know if that's doable.

Well, I had taken the resolutions route but just removed the resolutions from my package.json and ranyarn audit after updating packages and I'm no longer getting any vulnerabilities. So.. maybe it's been fixed?

I don't know if is a fix. I did the yarn audit.

yarn audit
yarn audit v
1.19.1
info No lockfile found.
warning @material-ui/core > [email protected]: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1
warning react-scripts > jest-environment-jsdom-fourteen > jsdom > [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
warning react-scripts > jest > jest-cli > jest-config > jest-environment-jsdom > jsdom > [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
warning react-scripts > jest > jest-cli > jest-config > jest-environment-jsdom > jsdom > [email protected]: use String.prototype.padStart()
warning react-scripts > workbox-webpack-plugin > workbox-build > strip-comments > babel-plugin-transform-object-rest-spread > babel-runtime > [email protected]: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
warning [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
0 vulnerabilities found - Packages audited: 920690
Done in 31.75s.

But, as is show, it doesn't fix, just show that is deprecated, but not upgrade or anything. Actually, I don't know what yarn did to show 0 vulnerabilities...

But when I did "npm i", in my "package-lock.json" has been change, in jsdom, the version of acorn from 6.4.1 (has no issues) to 5.7.4, that has the main problem (vulnerability issue).

But still with 0 vulnerabilities, even with acorn 5.7.4 ¯_(ツ)_/¯

Acorn 5, 6 and 7 have all had patch releases fixing it, so this shouldn't be an issue anymore

I deleted the node_modules folder, the lock files (npm and yarn) and I did:
yarn

And everything is ok, 0 vulnerabilities
After, I did npm i (why not? ¯_(ツ)_/¯)
Also 0 vulnerabilities.

To finish, yarn start and is working fine.

I think it can be close this issue.

New patch worked for me! Ran an npm audit fix and it was able to fix the vulnerabilities with the new patch available.

Issue confirmed fixed after deleting package-lock.json, deleting node_modules, running npm install and then npm audit fix again.

Also reran Snyk test and no more acorn vulnerabilities.