facebook
Update dependencies in react-scripts to pull in latest babel traverse to get past known vulnerability.
This updates dependencies (mainly in packages/react-scripts) to update babel/traverse to get past a security vulnerability (CVE-2023-45133) see #13470
Steps taken
- update
babel-core(which transitively pulls in babel/traverse) to latest inpackage/react/scripts - run
npm audit fixin root to updatepackage-lock.jsonwith the new babel-traverse and other dependencies.
the tests pass and running a skeleton app appears to work.
@thekbb Please can you provide the solution for this issue so it can be fixed in our environment for now? while upgrading the transitive dependency it breaks in other cases and throws different errors. We may not know when it would be the next release. Any ETA you're aware of? Thanks for creating a PR and helping the community.
@AnupSingh97, you had issues with upgrading babel/core to 7.23.6? to update babel/traverse? What happened? It is working for me.
@AnupSingh97, you had issues with upgrading
babel/coreto7.23.6? to updatebabel/traverse? What happened? It is working for me.
If I consume your changes from here, it may work but the PR hasn't merged yet. I was asking about the alternate option to update the babel/traverse dependency to remove the critical vulnerability. I found an overrides section approach to update the transitive dependency for now. if you have any other approach please suggest and what's your input on the overrides section approach?
thanks, @thekbb for replying and looking forward.
overrides reference: https://docs.npmjs.com/cli/v9/configuring-npm/package-json#overrides
Hi, is there an update regarding this PR? This is a critical vulnerability of remote code execution. It doesn't make sense that it hasn't been fixed yet. Is there a reason for the delay with fix it??
@thekbb any update as to when this will be merged?
I can't say when or if it will be merged, I am not a maintainer. This project is abandoned - I've moved on and would advice you to do so as well.