create-react-app icon indicating copy to clipboard operation
create-react-app copied to clipboard
verified publisher icon facebook

React scripts ( "react-scripts": "^5.0.1") is using [email protected] which has security vulnerability

Open redwoodxiao opened this issue 2 years ago • 2 comments

Describe the bug

React scripts ( "react-scripts": "^5.0.1") is using [email protected] which has security vulnerability

([email protected] └─┬ [email protected] ├─┬ @babel/[email protected] │ ├─┬ @babel/[email protected] │ │ └── [email protected] │ └── [email protected] <===== ├─┬ @svgr/[email protected] │ └─┬ @babel/[email protected] │ ├─┬ [email protected] │ │ ├─┬ @babel/[email protected] │ │ │ └── [email protected] │ │ └── [email protected] │ └── [email protected] ├─┬ [email protected] │ └─┬ [email protected] │ └─┬ [email protected] │ └── [email protected] ├─┬ [email protected] │ └─┬ [email protected] │ └── [email protected] ├─┬ [email protected] │ └─┬ @babel/[email protected] │ └── [email protected] ├─┬ [email protected] │ └── [email protected] deduped ├─┬ [email protected] │ ├─┬ @babel/[email protected] │ │ └── [email protected] │ ├─┬ @typescript-eslint/[email protected] │ │ ├─┬ @typescript-eslint/[email protected] │ │ │ └── [email protected] │ │ └── [email protected] │ ├─┬ @typescript-eslint/[email protected] │ │ └─┬ @typescript-eslint/[email protected] │ │ └── [email protected] │ ├─┬ [email protected] │ │ └── [email protected] │ └─┬ [email protected] │ └── [email protected]

Recommend by White scans, Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2.

redwoodxiao avatar Sep 27 '23 19:09 redwoodxiao

Just for info, I have been maintaining a react-scripts alternative currently showing 0 vulnerabilities. It is a simplified react-scripts, it works in much the same way as react-scripts. However there is no guarantee that it supports the finer details.

But it works for all of my use cases. https://github.com/Sean-Bradley/R3F-Pack

Basic functionality

  • It serves the dev version on port 3000
  • It auto opens the browser at address http://localhost:3000
  • It enables Hot Module Reloading (HMR)
  • It serves the development version from the ./public folder
  • npm run build builds a production quality version of your app, and will copy all static files & folders under ./public to the ./build folder ready for deployment
  • Production bundle.js contains a hash in its name to prevent browser caching
  • It supports building with TypeScript
  • It indicates 0 vulnerabilities when running npm install, at the time of last push

Sean-Bradley avatar Oct 18 '23 18:10 Sean-Bradley

up

kevingio-julo avatar Dec 31 '23 09:12 kevingio-julo