Vulnerability Issues with postcss and nth-check in react-scripts Dependencies

[PrathapKaraka]

I am encountering a persistent vulnerability issue with react-scripts related to the nth-check package in our prismacloudscan.

Despite making multiple attempts to update the dependencies manually and exploring various resolutions, the vulnerability warning remains.

Node JS version: we tried all possible node versions like node v16.20.2,v18.90, v19.81. and v20.16.0. React version : 18.2.0

Methods we tried to fix the issue.

1. we are using latest react-scripts verison : 5.0.1,
2. we manually installed latest version of postcss and nth-check
3. we tried to override both dependencies in package.json "overrides": { "react-scripts": { "postcss":"8.4.31", "nth-check":"2.0.1" } } and

"overrides": { "postcss":"8.4.31", "nth-check":"2.0.1" }

we tried nth-check latest version 2.1.1 in overrides and 8.4.45.

we tried npm audit and got following results :

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/svgo/node_modules/css-select/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=2.1.4 Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of resolve-url-loader node_modules/react-scripts

postcss <8.4.31 Severity: moderate PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/resolve-url-loader/node_modules/postcss resolve-url-loader 0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0 Depends on vulnerable versions of postcss node_modules/resolve-url-loader

request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/request jsdom 0.1.20 || 0.2.0 - 16.5.3 Depends on vulnerable versions of request Depends on vulnerable versions of request-promise-native Depends on vulnerable versions of tough-cookie node_modules/zem/node_modules/jsdom jest-environment-jsdom 10.0.2 - 25.5.0 Depends on vulnerable versions of jsdom node_modules/zem/node_modules/jest-environment-jsdom request-promise-core * Depends on vulnerable versions of request node_modules/request-promise-core request-promise-native >=1.0.0 Depends on vulnerable versions of request Depends on vulnerable versions of request-promise-core Depends on vulnerable versions of tough-cookie node_modules/request-promise-native

now, we tried npm audit fix --force Still issue not resolved, please update react-scripts dependency it was updated 2 years ago

[Sean-Bradley]

I am using these overrides and have 0 vulnerablities (sep 11 2024)

"overrides": {
    "body-parser": "1.20.3",
    "nth-check": ">=2.0.2",
    "serve-static": "2.1.0",
    "postcss": ">=8.4.31"
  },

See my full package.json at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson

[qwertychouskie]

I am using these overrides and have 0 vulnerablities (sep 11 2024)

"overrides": {
    "body-parser": "1.20.3",
    "nth-check": ">=2.0.2",
    "serve-static": "2.1.0",
    "postcss": ">=8.4.31"
  },

See my full package.json at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson

Do you have a suggested override to fix https://github.com/advisories/GHSA-gcx4-mw62-g8wm?

[qwertychouskie]

For now, this is my overrides list in packages.json:

  "overrides": {
    "svgo": {
      "nth-check": ">=2.0.2"
    },
    "react-scripts": {
      "postcss": ">=8.4.31",
      "workbox-webpack-plugin": ">=7.1.0"
    },
    "workbox-build": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-babel": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-replace": {
      "rollup": ">=3.29.5"
    }
  },

I haven't seen any obvious breakages, but please test this before blindly using it in prod.

[HiickFG]

https://github.com/facebook/create-react-app/pull/13778

I have done this PR recently which could solve the problem. In my app where I tested this, I'm using a direct link to an extracted repository of react-scripts containing these changes to override it in package.json, and it shows zero vulnerabilities now.

In my case was only due to react-scripts having old dependencies, which ultimately would trigger the audit warnings for both postcss and nth-check "sub-packages".

[shyamranpara1099]

Sean-Bradley thank you that is fixed with "overrides": { "body-parser": "1.20.3", "nth-check": ">=2.0.2", "serve-static": "2.1.0", "postcss": ">=8.4.31" },

[disiraThihan]

I am using these overrides and have 0 vulnerablities (sep 11 2024)

"overrides": { "body-parser": "1.20.3", "nth-check": ">=2.0.2", "serve-static": "2.1.0", "postcss": ">=8.4.31" }, See my full package.json at https://sbcode.net/react-three-fiber/build-course-boilerplate/#create-packagejson

Thank you ! this fixed my issue ..

[rkristelijn]

can you please patch thanks https://github.com/mui/toolpad/issues/4878#issuecomment-2820603020