[Snyk] Security upgrade react-scripts from 3.4.0 to 4.0.0 #11

naiba4 · 2023-07-01T04:23:08Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	718/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: react-scripts

The new version differs by 138 commits.

ed95893 Publish
88ca4f6 Prepare 4.0.0 release
d23d615 Update react dom in error overlay
95265c3 Update CHANGELOG
523b416 Add link to Open Collective (#9864)
af616ab Update CHANGELOG
014ca01 Prepare 4.0.0 release
2b1161b Pass JSX runtime setting to Babel preset in Jest config (#9865)
f2aef41 Prepare 4.0.0 alpha release
4bc639c Upgrade to React 17 (#9863)
d61347d Use new JSX setting with TypeScript 4.1.0 (#9734)
e63de79 New JSX Transform opt out (#9861)
fe785b2 feat: Update all dependencies (#9857)
85ab02b feat: remove unused React imports (#9853)
329f392 feat: Update ESLint dependencies (#9856)
10fa972 feat(eslint-config-react-app): Add jest & testing-library rules (#8963)
ed919b1 Make eslint-plugin-jest an optional peerDependency (#9670)
0a93e32 Fix refreshOverlayInterop module scope error (#9805)
7965594 Bump resolve-url-loader version (#9841)
b1f8536 Add 3.4.4 to the changelog
d07b7d0 Replace deprecated eslint-loader with eslint-webpack-plugin (#9751)
6f3e32e Upgrade Docusaurus to latest version (#9728)
1f2d387 fix: resolve new JSX runtime issues (#9788)
6a51dcd Add AVIF image support (#9611)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

socket-security · 2023-07-01T04:25:57Z

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
react-scripts	3.4.0...4.0.0	None	`+729/-585`	94.4 MB	iansu

socket-security · 2023-07-01T04:26:00Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Bidirectional unicode control characters	entities	2.2.0	Location: lib/maps/entities.json	react-scripts@4.0.0 via `package.json`
Zero width unicode chars	entities	2.2.0	Location: lib/maps/entities.json +4 more instances...	react-scripts@4.0.0 via `package.json`
Bidirectional unicode control characters	react-error-overlay	6.0.11	Location: lib/index.js +7 more instances...	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	react-error-overlay	6.0.11	Previous Chronological: react-error-overlay@6.1.0-next.14 (4/12/2022, 5:13:10 PM) Previous Semver: react-error-overlay@6.0.10 (12/14/2021, 3:54:01 PM)	react-scripts@4.0.0 via `package.json`
Zero width unicode chars	react-error-overlay	6.0.11	Location: lib/index.js +11 more instances...	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	ansi-regex	4.1.1	Previous Chronological: ansi-regex@5.0.1 (9/14/2021, 3:55:19 PM) Previous Semver: ansi-regex@4.1.0 (3/8/2019, 6:14:40 AM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	ansi-regex	5.0.1	Previous Chronological: ansi-regex@6.0.1 (9/10/2021, 8:25:05 PM) Previous Semver: ansi-regex@5.0.0 (10/4/2019, 11:29:13 AM)	eslint@6.8.0, eslint-config-react-app@5.2.0, react-scripts@4.0.0, release-it@12.6.1 via `package.json`
Chronological version anomaly	babel-plugin-named-asset-import	0.3.8	Previous Chronological: babel-plugin-named-asset-import@1.0.0-next.104 (12/14/2021, 6:10:36 AM) Previous Semver: babel-plugin-named-asset-import@0.3.7 (10/23/2020, 2:40:46 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	workbox-cacheable-response	5.1.4	Previous Chronological: workbox-cacheable-response@6.0.0-alpha.2 (8/14/2020, 6:50:41 PM) Previous Semver: workbox-cacheable-response@5.1.3 (4/24/2020, 3:19:51 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	ws	7.5.9	Previous Chronological: ws@8.8.0 (6/9/2022, 7:00:36 PM) Previous Semver: ws@7.5.8 (5/26/2022, 5:29:59 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	ws	6.2.2	Previous Chronological: ws@7.4.6 (5/25/2021, 4:29:58 PM) Previous Semver: ws@6.2.1 (3/27/2019, 8:53:30 AM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	workbox-expiration	5.1.4	Previous Chronological: workbox-expiration@6.0.0-alpha.2 (8/14/2020, 6:50:44 PM) Previous Semver: workbox-expiration@5.1.3 (4/24/2020, 3:19:51 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	@sinonjs/commons	1.8.6	Previous Chronological: @sinonjs/commons@2.0.0 (11/7/2022, 4:50:09 PM) Previous Semver: @sinonjs/commons@1.8.5 (11/7/2022, 4:44:52 PM)	react-scripts@4.0.0 via `package.json`
No contributors or author data	@sinonjs/commons	1.8.6	Location: package.json	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	send	0.18.0	Previous Chronological: send@1.0.0-beta.1 (2/5/2022, 4:57:40 AM) Previous Semver: send@0.17.2 (12/12/2021, 1:18:25 AM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	tsconfig-paths	3.14.2	Previous Chronological: tsconfig-paths@4.1.2 (1/1/2023, 11:31:55 PM) Previous Semver: tsconfig-paths@3.14.1 (3/22/2022, 7:07:02 PM)	eslint-config-react-app@5.2.0, react-scripts@4.0.0 via `package.json`
Debug access	tsconfig-paths	3.14.2	Module: module Location: lib/register.js	eslint-config-react-app@5.2.0, react-scripts@4.0.0 via `package.json`
Dynamic require	tsconfig-paths	3.14.2	Location: lib/filesystem.js	eslint-config-react-app@5.2.0, react-scripts@4.0.0 via `package.json`
Environment variable access	tsconfig-paths	3.14.2	Env Vars: Location: lib/config-loader.js +1 more instances...	eslint-config-react-app@5.2.0, react-scripts@4.0.0 via `package.json`
Filesystem access	tsconfig-paths	3.14.2	Module: fs Location: lib/filesystem.js +1 more instances...	eslint-config-react-app@5.2.0, react-scripts@4.0.0 via `package.json`
Chronological version anomaly	workbox-routing	5.1.4	Previous Chronological: workbox-routing@6.0.0-alpha.2 (8/14/2020, 6:50:44 PM) Previous Semver: workbox-routing@5.1.3 (4/24/2020, 3:19:51 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	core-js	2.6.12	Previous Chronological: core-js@3.7.0 (11/6/2020, 3:11:17 PM) Previous Semver: core-js@2.6.11 (12/8/2019, 9:02:51 PM)	react-scripts@4.0.0 via `package.json`
URL strings	core-js	3.31.0	URL: https://github.com/zloirock/core-js/blob/master/docs/2023-02-14-so-whats-next.md Location: postinstall.js +35 more instances...	react-scripts@4.0.0 via `package.json`
Uses eval	core-js	3.31.0	Eval Type: Function Location: internals/try-node-require.js	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	minimatch	3.1.2	Previous Chronological: minimatch@5.0.0 (2/15/2022, 4:50:03 PM) Previous Semver: minimatch@3.1.1 (2/13/2022, 4:01:44 AM)	eslint@6.8.0, eslint-config-react-app@5.2.0, react-scripts@4.0.0, release-it@12.6.1 via `package.json`
Chronological version anomaly	workbox-window	5.1.4	Previous Chronological: workbox-window@6.0.0-alpha.2 (8/14/2020, 6:50:44 PM) Previous Semver: workbox-window@5.1.3 (4/24/2020, 3:19:51 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	yargs-parser	13.1.2	Previous Chronological: yargs-parser@15.0.1 (3/13/2020, 8:56:48 PM) Previous Semver: yargs-parser@13.1.1 (6/10/2019, 1:17:59 AM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	minimist	1.2.8	Previous Chronological: minimist@0.2.3 (2/9/2023, 8:11:17 PM) Previous Semver: minimist@1.2.7 (10/11/2022, 1:21:52 AM)	eslint@6.8.0, eslint-config-react-app@5.2.0, react-scripts@4.0.0, release-it@12.6.1 via `package.json`
Chronological version anomaly	resolve-url-loader	3.1.5	Previous Chronological: resolve-url-loader@5.0.0 (1/17/2022, 9:55:09 PM) Previous Semver: resolve-url-loader@3.1.4 (6/22/2021, 2:01:48 AM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	rollup-plugin-terser	5.3.1	Previous Chronological: rollup-plugin-terser@7.0.1 (8/28/2020, 7:19:34 PM) Previous Semver: rollup-plugin-terser@5.3.0 (3/9/2020, 7:28:16 PM)	react-scripts@4.0.0 via `package.json`
Obfuscated require	rollup-plugin-terser	5.3.1	Location: index.js	react-scripts@4.0.0 via `package.json`
Unmaintained	rollup-plugin-terser	5.3.1	Last Publish: 9/4/2020, 6:39:17 PM	react-scripts@4.0.0 via `package.json`
Uses eval	rollup-plugin-terser	5.3.1	Eval Type: eval Location: transform.js	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	workbox-range-requests	5.1.4	Previous Chronological: workbox-range-requests@6.0.0-alpha.2 (8/14/2020, 6:50:44 PM) Previous Semver: workbox-range-requests@5.1.3 (4/24/2020, 3:19:50 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	workbox-streams	5.1.4	Previous Chronological: workbox-streams@6.0.0-alpha.2 (8/14/2020, 6:50:52 PM) Previous Semver: workbox-streams@5.1.3 (4/24/2020, 3:19:58 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	workbox-strategies	5.1.4	Previous Chronological: workbox-strategies@6.0.0-alpha.2 (8/14/2020, 6:50:44 PM) Previous Semver: workbox-strategies@5.1.3 (4/24/2020, 3:19:58 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	@babel/code-frame	7.22.5	Previous Chronological: @babel/code-frame@7.21.4-esm.4 (4/4/2023, 3:13:27 PM) Previous Semver: @babel/code-frame@7.21.4 (3/31/2023, 9:01:51 AM)	eslint-config-react-app@5.2.0, react-scripts@4.0.0 via `package.json`
Chronological version anomaly	axe-core	4.7.2	Previous Chronological: axe-core@4.7.1-canary.ae5e3fb (5/25/2023, 9:23:11 AM) Previous Semver: axe-core@4.7.1 (5/15/2023, 3:44:25 PM)	eslint-config-react-app@5.2.0, react-scripts@4.0.0 via `package.json`
Mixed license	axe-core	4.7.2	License: GPL-2.0-with-bison-exception,MPL-2.0 +1 more instances...	eslint-config-react-app@5.2.0, react-scripts@4.0.0 via `package.json`
Chronological version anomaly	source-map	0.7.4	Previous Chronological: source-map@0.8.0-beta.0 (11/16/2018, 12:03:32 AM) Previous Semver: source-map@0.7.3 (5/16/2018, 5:29:49 PM)	react-scripts@4.0.0 via `package.json`
Filesystem access	source-map	0.7.4	Module: fs Location: dist/source-map.js +2 more instances...	react-scripts@4.0.0 via `package.json`
New author	source-map	0.7.4	New Author: eemeli Previous Author: loganfsmyth	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	lines-and-columns	1.2.4	Previous Chronological: lines-and-columns@1.1.11 (11/21/2021, 3:30:36 AM) Previous Semver: lines-and-columns@1.2.3 (11/21/2021, 12:30:55 AM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	watchpack	1.7.5	Previous Chronological: watchpack@2.0.1 (10/31/2020, 12:37:45 PM) Previous Semver: watchpack@1.7.4 (7/24/2020, 4:08:03 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	fsevents	1.2.13	Previous Chronological: fsevents@2.1.3 (4/22/2020, 8:48:23 AM) Previous Semver: fsevents@1.2.12 (3/19/2020, 9:14:58 AM)	react-scripts@4.0.0 via `package.json`
Install scripts	fsevents	1.2.13	Install script: install Source: `node install.js`	react-scripts@4.0.0 via `package.json`
Major refactor	fsevents	1.2.13	Change Percentage: 112.26 Current Line Count: 100 Previous Line Count: 36464 Lines Changed: 41048	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	@babel/plugin-syntax-typescript	7.22.5	Previous Chronological: @babel/plugin-syntax-typescript@7.21.4-esm.4 (4/4/2023, 3:13:16 PM) Previous Semver: @babel/plugin-syntax-typescript@7.21.4 (3/31/2023, 9:01:53 AM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	cssnano-preset-default	4.0.8	Previous Chronological: cssnano-preset-default@5.0.0-rc.2 (3/15/2021, 4:45:12 PM) Previous Semver: cssnano-preset-default@4.0.7 (2/12/2019, 6:11:34 PM)	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	postcss	7.0.39	Previous Chronological: postcss@8.3.8 (9/25/2021, 7:33:40 AM) Previous Semver: postcss@7.0.38 (9/25/2021, 7:30:04 AM)	react-scripts@4.0.0 via `package.json`
URL strings	postcss	7.0.39	URL: https://github.com/postcss/postcss/wiki/PostCSS-8-for-end-users Location: lib/processor.js +1 more instances...	react-scripts@4.0.0 via `package.json`
Chronological version anomaly	postcss	7.0.36	Previous Chronological: postcss@8.3.1 (6/9/2021, 11:38:49 PM) Previous Semver: postcss@7.0.35 (9/28/2020, 9:42:40 PM)	react-scripts@4.0.0 via `package.json`
URL strings	postcss	7.0.36	URL: https://github.com/postcss/postcss/wiki/PostCSS-8-for-end-users Location: lib/processor.js +1 more instances...	react-scripts@4.0.0 via `package.json`
Environment variable access	postcss	8.4.24	Env Vars: Location: lib/postcss.js +1 more instances...	react-scripts@4.0.0 via `package.json`
Filesystem access	postcss	8.4.24	Module: fs Location: lib/previous-map.js	react-scripts@4.0.0 via

guardrails · 2023-07-01T04:33:21Z

⚠️ We detected 65 security issues in this pull request:

Vulnerable Libraries (65)

Severity	Details
High	pkg:npm/acorn@5.7.3 (t) upgrade to: 5.7.4,6.4.1,7.1.1
High	pkg:npm/ansi-regex@3.0.0 (t) upgrade to: 6.0.1,5.0.1,4.1.1,3.0.1
High	pkg:npm/lodash.template@4.5.0 (t) - no patch available
High	pkg:npm/css-what@2.1.3 (t) - no patch available
High	pkg:npm/css-what@3.2.1 (t) - no patch available
High	pkg:npm/is-svg@3.0.0 (t) upgrade to: 4.2.2
Medium	pkg:npm/sockjs@0.3.19 (t) upgrade to: 0.3.20
Critical	pkg:npm/set-value@2.0.1 (t) - no patch available
High	pkg:npm/minimatch@3.0.4 (t) upgrade to: 3.0.5
Medium	pkg:npm/jsdom@11.12.0 (t) upgrade to: 16.5.0
High	pkg:npm/ini@1.3.5 (t) upgrade to: 1.3.6
Critical	pkg:npm/unset-value@1.0.0 (t) - no patch available
Low	pkg:npm/request@2.88.2 (t) - no patch available
Medium	pkg:npm/node-notifier@5.4.3 (t) upgrade to: 8.0.1
High	pkg:npm/node-addon-api@2.0.0 (t) - no patch available
Critical	pkg:npm/json-schema@0.2.3 (t) upgrade to: 0.4.0
Medium	pkg:npm/browserslist@4.8.6 (t) upgrade to: 4.16.5
Critical	pkg:npm/express@4.17.1 (t) - no patch available
Medium	pkg:npm/core-js@2.6.11 (t) - no patch available
Medium	pkg:npm/core-js@3.6.4 (t) - no patch available
Critical	pkg:npm/shell-quote@1.7.2 (t) upgrade to: 1.7.3
High	pkg:npm/async@2.6.3 (t) upgrade to: 3.2.2,2.6.4
Medium	pkg:npm/istanbul-reports@2.2.7 (t) - no patch available
High	pkg:npm/json5@1.0.1 (t) upgrade to: 2.2.2
Medium	pkg:npm/browserslist@4.8.7 (t) upgrade to: 4.16.5
High	pkg:npm/fb-watchman@2.0.1 (t) - no patch available
Critical	pkg:npm/parse-path@4.0.1 (t) - no patch available
N/A	pkg:npm/normalize-url@4.5.0 (t) - no patch available
Medium	pkg:npm/color-string@1.5.3 (t) upgrade to: 1.5.5
High	pkg:npm/yargs-parser@11.1.1 (t) - no patch available
Critical	pkg:npm/eventsource@1.0.7 (t) upgrade to: 1.1.1,2.0.2
Medium	pkg:npm/nwsapi@2.2.0 (t) - no patch available
High	pkg:npm/http-cache-semantics@4.0.4 (t) upgrade to: 4.1.1,4.1.1
Medium	pkg:npm/terser@4.6.4 (t) - no patch available
High	pkg:npm/json5@2.1.1 (t) upgrade to: 2.2.2
High	pkg:npm/clean-css@4.2.3 (t) - no patch available
High	pkg:npm/ssri@7.1.0 (t) upgrade to: 6.0.2,7.1.1,8.0.1
High	pkg:npm/prompts@2.3.1 (t) - no patch available
High	pkg:npm/websocket-extensions@0.1.3 (t) upgrade to: 0.1.4
High	pkg:npm/ansi-regex@4.1.0 (t) upgrade to: 6.0.1,5.0.1,4.1.1,3.0.1
Medium	pkg:npm/word-wrap@1.2.3 (t) - no patch available
Critical	pkg:npm/webpack@4.41.5 (t) - no patch available
N/A	pkg:npm/yargs-parser@17.0.0 (t) - no patch available
Medium	pkg:npm/ajv@6.12.0 (t) upgrade to: 6.12.3
High	pkg:npm/acorn@6.4.0 (t) upgrade to: 5.7.4,6.4.1,7.1.1
Medium	pkg:npm/got@9.6.0 (t) - no patch available
High	pkg:npm/nth-check@1.0.2 (t) upgrade to: 2.0.1
High	pkg:npm/cacheable-request@6.1.0 (t) upgrade to: 10.2.7
Medium	pkg:npm/ws@5.2.2 (t) upgrade to: 7.4.6,6.2.2,5.2.3
High	pkg:npm/decode-uri-component@0.2.0 (t) - no patch available
Critical	pkg:npm/loader-utils@1.2.3 (t) upgrade to: 2.0.3
N/A	pkg:npm/immer@1.10.0 (t) upgrade to: 8.0.1
High	pkg:npm/url-parse@1.4.7 (t) - no patch available
Medium	pkg:npm/node-fetch@2.6.0 (t) - no patch available
High	pkg:npm/postcss@7.0.21 (t) - no patch available
Critical	pkg:npm/lodash@4.17.15 (t) - no patch available
High	pkg:npm/react-dev-utils@10.2.0 (t) - no patch available
High	pkg:npm/follow-redirects@1.10.0 (t) upgrade to: 1.14.7
N/A	pkg:npm/acorn@7.1.0 (t) - no patch available
High	pkg:npm/http-proxy@1.18.0 (t) - no patch available
Critical	pkg:npm/qs@6.5.2 (t) - no patch available
High	pkg:npm/path-parse@1.0.6 (t) - no patch available
Critical	pkg:npm/loader-utils@1.4.0 (t) upgrade to: 2.0.3
N/A	pkg:npm/node-forge@0.9.0 (t) upgrade to: 0.10.0
High	pkg:npm/parse-url@5.0.1 (t) - no patch available

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

fix: package.json & package-lock.json to reduce vulnerabilities

d60a569

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade react-scripts from 3.4.0 to 4.0.0 #11

[Snyk] Security upgrade react-scripts from 3.4.0 to 4.0.0 #11

naiba4 commented Jul 1, 2023

socket-security bot commented Jul 1, 2023

socket-security bot commented Jul 1, 2023

guardrails bot commented Jul 1, 2023

[Snyk] Security upgrade react-scripts from 3.4.0 to 4.0.0 #11

Are you sure you want to change the base?

[Snyk] Security upgrade react-scripts from 3.4.0 to 4.0.0 #11

Conversation

naiba4 commented Jul 1, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

socket-security bot commented Jul 1, 2023

socket-security bot commented Jul 1, 2023

guardrails bot commented Jul 1, 2023