Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] High Severity Vulnerabilities in Older react-scripts and node-sass and Nested Dependencies #33

Closed
mekkim opened this issue Mar 21, 2022 · 1 comment
Closed

[Bug] High Severity Vulnerabilities in Older react-scripts and node-sass and Nested Dependencies #33

mekkim opened this issue Mar 21, 2022 · 1 comment

Comments

@mekkim
Copy link

mekkim commented Mar 21, 2022

Version

Latest

Reproduction link

https://github.com/creativetimofficial/argon-design-system-react

Operating System

All

Device

All

Browser & Version

All

Steps to reproduce

Run npm audit against latest branch.

What is expected?

No vulnerabilities in dependencies

What is actually happening?

38 vulnerabilities (20 moderate, 18 high) in dependencies.
npm audit fix advises that upgrades required to address vulnerabilities are breaking.

Solution

Dependencies and any resulting breaking feature changes should be resolved
react-scripts to version 5.0.0+
node-sass to version 7.0.1+

Additional comments

npm audit log: https://pastes.io/tr6m6umkip
@mekkim
Copy link
Author

mekkim commented Mar 21, 2022

Can be fixed by changing package.json to use latest versions of node-sass and react-scripts (though unsure if that breaks anything as latest is a breaking change relative to currently listed versions--testing required!)

"node-sass": "latest",
"react-scripts": "latest",

plus adding the following at the end for the nested dependencies of glob-parent and nth-check. Same caveat re: breaking potential:

"overrides": {
	   "glob-parent": "latest",
	   "nth-check": "latest"
   }

This was referenced Mar 21, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updated react-scripts and node-sass to latest mekkim/argon-design-system-react
2 participants
@mekkim @sajadevo