react-scripts is using postcss@^7.0.35 which has security vulnerability #13423

Open

Open

react-scripts is using postcss@^7.0.35 which has security vulnerability#13423

Labels

issue: bug reportneeds triage

opened

on Oct 30, 2023

react-scripts@5.0.1 requires postcss@^7.0.35 via a transitive dependency on resolve-url-loader@4.0.0

I see the latest version of resolve-url-loader is 5.x, and it depends on postcss@8.x. So can we update resolve-url-loader to a non-vulnerable version? Thank you!

added

issue: bug report

on Oct 30, 2023

A link to the CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-44270

added a commit that references this issue

on Nov 17, 2023

Fix postcss CVE

linked a pull request that will close this issue

on Nov 17, 2023

Fix postcss CVE #13454

I had to use overrides in my package.json to overcome there errors:

  "overrides": {
    "nth-check": "https://registry.npmjs.org/nth-check/-/nth-check-2.1.1.tgz",
    "postcss": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz"
  }

However the dependency should be updated in the main branch

@Dror-Bar thank you, you are going to be in my video on using Trivy to fix vulnerabilities with this suggestion -- Thank you!!!

mentioned this

Showing error #13457

I made this PR: #13778

It involves updating the resolve-url-loader to ^5.x as part of the vulnerability solution.

linked a pull request that will close this issue

on Jan 14, 2025

react-scripts package: Resolving vulnerabilities by updating dependencies + .SVG loader bug fix #13778

mentioned this

on Apr 24, 2025

프론트 보안 이슈 처리 ellen24k/opensw#77

to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

Labels

issue: bug reportneeds triage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

Participants