Create-react-app: About avoiding the issue of "http-proxy" vulnerability warning from "npm audit"

Created on 15 May 2020 · 4Comments · Source: facebook/create-react-app

From May 14, 2020,

NPM raised the "http-proxy" package's security vulnerability warning to HighLevel.

https:/www.npmjs.com/advisories/1486

As a result, the "http-proxy" package was ~blocked~ warned by npm-audit.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server > http-proxy-middleware > │
│               │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1486                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

npm audit fails on http-proxy #9017

I know that this package is used in the CRA's "react-scripts" package.
Thus, node-package-management attempts are blocked at root of all CRA-based projects

found 2 bannerabilities (1 low, 1 high)
Run 'npm audit fix' to fix them, or 'npm audit' for details

https://github.com/http-party/node-http-proxy/tags

https://github.com/webpack/webpack-dev-server/issues/2605

I can't analyze security issues in detail. but according to two references - (a)where "http-proxy" is referenced in the CRA and (b)"npm audit log"

react-scripts > webpack-dev-server > http-proxy-middleware > http-proxy

I thought only "webpack-dev-server" was directly affected by this issue.

Based on these,

1) "npm build" is not affected. Is this right?
2) When opening the dev server through "npm start." If this is localhost or private network.. It seems irrelevant to this security issue. Is this right?

I was just wondering before using the npm-install "-- no-audit" option.

npm install [package-name] --no-audit

Please give me any comment on this.

needs triage stale

Source

r2d2doomchit

👍9

Most helpful comment

I think you are right but anyhow, by principle, i would not go for a --no-audit. We created this tool for ensuring nodejs keep secure. If we start using --no-audit for our deploy to overpass CI then we already are going on the darkside.

I think we should all focus working in a fix and release it before doing an other deploy. We are enough developers here to handle this in a short period of time. In fact we already have pull request pending for a fix in https://github.com/http-party/node-http-proxy/pull/1447

erwanriou on 16 May 2020

👍10

All 4 comments

erwanriou on 16 May 2020

👍10

Of course, I don't ignore the "npm-audit" policy.
I just wanted to make sure that the security issue is not affected if it is not a development server(webpack-dev-server). because NPM warns this is a HIGH-level vulnerability.
And I had to continue package management of CRA-based projects with this warning.

Anyway, thank you for your comments and advice, and I'm always grateful to you and all node package contributors.

r2d2doomchit on 18 May 2020

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.