Missing Origin Validation in react-scripts@2.1.2

[sunknudsen]

Is this a bug report?

Yes, NPM reports 1 high severity vulnerability when running npx create-react-app my-app. Not sure why I can't find a bug report already about this issue. Sorry if it has already been reported.

According to npm audit, the webpack-dev-server dependency has to be upgraded to >=3.1.11.

Environment

npx create-react-app --info
npx: installed 63 in 2.22s

Environment Info:

  System:
    OS: macOS High Sierra 10.13.6
    CPU: x64 Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz
  Binaries:
    Node: 10.11.0 - /usr/local/bin/node
    npm: 6.5.0 - ~/Sites/theregulars/theregulars-reviews/node_modules/.bin/npm
  Browsers:
    Chrome: 71.0.3578.98
    Firefox: 64.0
    Safari: 12.0.2
  npmPackages:
    react: ^16.6.3 => 16.6.3
    react-dom: ^16.6.3 => 16.6.3
    react-scripts: ^2.1.2 => 2.1.2
  npmGlobalPackages:
    create-react-app: Not Found

Steps to Reproduce

npx create-react-app my-app
cd my-app⸨⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⸩ ⠧ rollbackFailedOptional: verb npm-session 2bed87enpx: installed 63 in 4.162s

Creating a new React app in /Users/sunknudsen/tmp/my-app.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...


> fsevents@1.2.4 install /Users/sunknudsen/tmp/my-app/node_modules/fsevents
> node install

[fsevents] Success: "/Users/sunknudsen/tmp/my-app/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node" already installed
Pass --update-binary to reinstall or --build-from-source to recompile
+ react-scripts@2.1.2
+ react@16.7.0
+ react-dom@16.7.0
added 1794 packages from 684 contributors and audited 35709 packages in 47.487s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Initialized a git repository.

Success! Created my-app at /Users/sunknudsen/tmp/my-app
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd my-app
  npm start

Happy hacking!

npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 35709 scanned packages
  1 vulnerability requires manual review. See the full report for details.

[ianschmitz]

We should bump #6064 and get it in

[ianschmitz]

#6064 is in now. I'll see if we can get a patch release out ASAP.

[KahtiD]

I am also having this issue and I've looked everywhere. Npm update does not do anything, unless I am entering the command wrong ' npm update webpack-dev-server@latest' ? I'm fairly new to dev so forgive the lack of knowledge. I await the fix. Thank you!

Also: I've checked the version of the package and it says its at 3.1.14 which is the latest, however in the package-lock.json is at 3.1.9.

[jrishabh55]

can you try using @KahtiD

npm install --dev webpack-dev-server@latest

instead, that should install the latest version of the package

[KahtiD]

can you try using @KahtiD

npm install --dev webpack-dev-server@latest

instead, that should install the latest version of the package

Thanks for the reply! I tried this I just have the vulnerability twice now as its also in package.json. :( Quite a frustrating vulnerability. I've edited my original comment with more information also.

[jrishabh55]

ah, my bad you can specify the version, in that case you need this

npm install --dev webpack-dev-server@3.1.14

@KahtiD

[blackforestcode]

Same issue here. Can't fix with "npm audit fix" or upgrading to @latest.

[Showcase-Joz]

Same issue here. Can't fix with "npm audit fix" or upgrading to @latest.

nor me

[cmwd]

Updating webpack-dev-server doesn't work because there's a typo in the audit repository 🙈 https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

[VerifiedMarfat]

Same issue here. Can't fix with "npm audit fix" or upgrading to @latest.

Same here :(

[jamie29w]

npm update won't work because webpack-dev-server@3.1.9 is a dependency of react-scripts.

[jomaxx]

i published a fork with the patch from #6064. we run audit in CI so was failing our builds. if anybody else wants to use it until the next react-scripts version, it's here: @jomaxx/react-scripts@2.1.2-patch-webpack-dev-server

[KahtiD]

I've been away from my project for the day. This is the most frustrating bug lol. Has anyone had a fix yet? I've done all the above and despite the typo being corrected I still get the vulnerability message after npm audit

[KahtiD]

@jamie29w

Is there away to update to 3.1.14 for webpack-dev-server in react-scripts or is it supposed to be at 3.1.9 as it is now, although checking the version returns 3.1.14, confusingly enough.

[ianschmitz]

Just gave a nudge to @gaearon. Hoping to get a patch out soon. Sorry for the delay!

[mjziolko]

Any update on this?
@ianschmitz @gaearon

[sreeram315]

Waiting...

[dbenchi]

Can we have some feedback about the release date of this patch. We deactivated the audit step from our build so as to not block everyone.

I know that I can use resolution so as to force the version of the webpack-dev-server but I just do not want to do some workarround on something that it is going to be release soon.

So my main question is about When this patch is going to be released?

Thanks a lot

[ianschmitz]

I haven't been able to get a hold of @gaearon. @Timer said he will have access to a computer again later today and will release the patch tonight.

[gaearon]

For future reference — my GH notifications are always hosed so please don't count on me seeing a @ mention on some GH thread. Pinging me via mention on Twitter is usually a more sure way to get me to see something. I’m sorry I missed this.

[gaearon]

[gaearon]

I gave @ianschmitz publish rights and he’s working on putting out a release.

[ianschmitz]

v2.1.3 is available. Please let me know if you have any more issues!

[sunknudsen]

Running npm audit fix now fixes the vulnerability. Thanks @ianschmitz!

[SafiaNuzhath]

Still facing the same issue -

[byCedric]

@SafiaNuzhath it looks like you are using Angular, this is the React repository. I would recommend you to leave a comment in the Angular thread related to the security issue.

angular/angular-cli#13342

[ghost]

I am still having the same problem. I get the error
The react-scripts package provided by Create React App requires a dependency:
"webpack-dev-server": "3.1.14"
However, a different version of webpack-dev-server was detected higher up in the tree:

C:\Users\virus\node_modules\webpack-dev-server (version: 3.1.9)

I tried npm audit fix. Deleting modules then updated json file to "webpack-dev-server": "3.1.14" then npm install. Still not working any ideas?

npm 6.5.0

[dbenchi]

the problem is solved thanks a lot

[Ulisses85]

issue solved thank you guys