Create-react-app: High severity vulnerability detected by audit in react-scripts 3.4.2 dependencies
Edit from maintainers: this is a false positive.
See https://github.com/facebook/create-react-app/issues/9469#issuecomment-672984368.
Describe the bug
After installing last version (3.4.2) of react-scripts, I got a high severity vulnerability (Remote Code Execution) from serialize-javascript (2.1.2) from terser-webpack-plugin (2.3.5), that is a dependency of react-scripts (3.4.2)
Did you try recovering your dependencies?
Yes
npm --version
6.14.7
Which terms did you search for in User Guide?
NA
Environment
Environment Info:
current version of create-react-app: 3.4.1
running from C:UsersfchaAppDataRoamingnpm-cache_npx16340node_modulescreate-react-app
System:
OS: Windows 10 10.0.18363
CPU: (8) x64 Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz
Binaries:
Node: 11.10.0 - C:Program Filesnodejsnode.EXE
Yarn: Not Found
npm: 6.14.7 - C:Program Filesnodejsnpm.CMD
Browsers:
Edge: 44.18362.449.0
Internet Explorer: 11.0.18362.1
npmPackages:
react: ^16.13.1 => 16.13.1
react-dom: ^16.13.1 => 16.13.1 (15.6.1)
react-scripts: ^3.4.2 => 3.4.2
npmGlobalPackages:
create-react-app: Not Found
Steps to reproduce
NA
Expected behavior
No vulnerabilities detected by audit
Actual behavior
High severity vulnerabilities detected by audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Remote Code Execution
Package serialize-javascript
Patched in >=3.1.0
Dependency of react-scripts
Path react-scripts > terser-webpack-plugin > serialize-javascript
More info https://npmjs.com/advisories/1548
found 1 high severity vulnerability in 2114 scanned packages
1 vulnerability requires manual review. See the full report for details.
Reproducible demo
NA
FredChauviere
All 18 comments
I am experiencing the same high severity vulnerability. Does anyone have suggestions on the best way to solve this issue? I do not have much experience with manually fixing npm vulnerabilities. Thanks
charkour
on 11 Aug 2020
I am experiencing the same issue as well, tried manually installing the latest versions of packages serialize-javascript and terser-webpack-plugin as a fix, but still running into the same high vulnerability notification on audit.
npm version is 6.14.5
knivesschau
on 11 Aug 2020
I am experiencing the same issue.
npm --version
6.14.7
react-scripts: 3.4.2
Pilipo
on 11 Aug 2020
Experiencing the same vulnerability - running npm version 6.14.7
netanelmaroof
on 11 Aug 2020
Such things always seem to happen on the day of a release. Us too...
hoffmang9
on 11 Aug 2020
I believe the best way to solve this is for react-scripts to upgrade its terser-webpack-plugin to version 3 or 4 (both use a version of serialize-javascript that is free from this issue)
@charkour A temporary workaround (if you need to get pass your CI or something) is to manually override the version of either terser-webpack-plugin or serialize-javascript. At the moment I don't know if there is any compatible issue that could happen but at least the changlog can be found here
@knivesschau Manually install wouldn't work because (under npm's view) react-scripts still require the other version, thus both versions will exist. What should be done is to override the version inside react-scripts' dependencies (in package-lock, for example)
dvkndn
on 11 Aug 2020
@dvkndn D'oh! Of course. Thank you! I will give that a try and see if it resolves the issue.
knivesschau
on 11 Aug 2020
@dvkndn Thanks again! Overriding the version manually in package-lock worked for me.
knivesschau
on 12 Aug 2020
Please let me know if you find out solution!
I tried updating manually serialize-javascript to 4.0.0 which didn't help (which now I understand why). Waiting for real solution.
ondrejsudoma
on 12 Aug 2020
Getting the same vulnerability here
jcamato
on 12 Aug 2020
This is what has help in my CI.
WARNNING!
Please note that this really overrides your every version of serialize-javascript to 3.1.0 so you may want to see what else you will brake.
Before force resolutions
npm ls serialize-javascript
npm install npm-force-resolutions
In package.json add resolutions to root object
"name": xxx,
"dependencies": {...},
...
"resolutions": {
"serialize-javascript": "3.1.0"
},
then run npm-force-resolutions
npx npm-force-resolutions
packages should now install with fixed version
npm install
...
found 0 vulnerabilities
tdowgielewicz
on 12 Aug 2020
@tdowgielewicz I think you should put this on the top of your post
WARNNING!
Please note that this really overrides your every version of serialize-javascript to 3.1.0 so you may want to see what else you will brake.
Before force resolutions
npm ls serialize-javascript
Faziki
on 12 Aug 2020
Same issue for me npm ls serialize-javascript
[email protected] /tomasdisk/app-front
└─┬ [email protected]
├─┬ [email protected]
│ └── [email protected]
The PR #9470 should solve the vulnerability
tomasdisk
on 12 Aug 2020
Same issue for me, and the ironi of this is hilarious
3.4.2 was realeased to counter another vulnerability
v3.4.2 release bumps webpack-dev-server to a version for which npm audit does not report a vulnerability. Note that this vulnerability did not affect Create React App projects, so this change is only necessary to satisfy auditing tools.
jhammersholt
on 12 Aug 2020
There is no actual vulnerability here.
If you read the advisory, the attack has to do with having specially crafted object in the source. However, Terser Webpack Plugin uses serialize-javascript for disk caching. If the attacker can somehow "poison" the source code of your app, you have much bigger problems anyway. In other words, this vulnerability applies to the scenarios where serialize-javascript is used at runtime with untrusted input, but here it is used at build time with trusted input (your own source code).
gaearon
on 12 Aug 2020
@gaearon remember to do a release on github too :)
I just saw this version bump reported via npm-check-updates and came here to see what was going on (I have github set up to alert me on releases to this repo), but there was no release, then I saw that npm had the new one
gabriel-peracio
on 12 Aug 2020
Note that even though there's no actual vulnerability, we'd still want the warning to go away. I explained the next steps in https://github.com/facebook/create-react-app/pull/9470#pullrequestreview-466091335 if you'd like to help move that forward.
gaearon
on 12 Aug 2020
Fixed the false positive in [email protected].
gaearon
on 12 Aug 2020
Related issues
JimmyLv
·
3Comments
xgqfrms-GitHub
·
3Comments
ap13p
·
3Comments
alleroux
·
3Comments
fson
·
3Comments
Most helpful comment
This is what has help in my CI.
WARNNING!
Please note that this really overrides your every version of
serialize-javascriptto3.1.0so you may want to see what else you will brake.Before force resolutions
npm install npm-force-resolutionsIn
package.jsonaddresolutionsto root objectthen run npm-force-resolutions
npx npm-force-resolutionspackages should now install with fixed version