[Snyk] Security upgrade react-scripts from 3.4.0 to 5.0.0 #12

naiba4 · 2023-07-05T05:16:26Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: react-scripts

The new version differs by 250 commits.

221e511 Publish
6a3315b Update CONTRIBUTING.md
5614c87 Add support for Tailwind (#11717)
657739f chore(test): make all tests install with `npm ci` (#11723)
20edab4 fix(webpackDevServer): disable overlay for warnings (#11413)
69321b0 Remove cached lockfile (#11706)
3afbbc0 Update all dependencies (#11624)
f5467d5 feat(eslint-config-react-app): support ESLint 8.x (#11375)
e8319da [WIP] Fix integration test teardown / cleanup and missing yarn installation (#11686)
c7627ce Update webpack and dev server (#11646)
f85b064 The default port used by `serve` has changed (#11619)
544befe Update package.json (#11597)
9d0369b Fix ESLint Babel preset resolution (#11547)
d7b23c8 test(create-react-app): assert for exit code (#10973)
1465357 Prepare 5.0.0 alpha release
3880ba6 Remove dependency pinning (#11474)
8b9fbee Update CODEOWNERS
cacf590 Bump template dependency version (#11415)
5cedfe4 Bump browserslist from 4.14.2 to 4.16.5 (#11476)
50ea5ad allow CORS on webpack-dev-server (#11325)
63bba07 Upgrade jest and related packages from 26.6.0 to 27.1.0 (#11338)
960b21e Bump immer from 8.0.4 to 9.0.6 (#11364)
134cd3c Resolve dependency issues in v5 alpha (#11294)
b45ae3c Update CONTRIBUTING.md

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795

socket-security · 2023-07-05T05:19:17Z

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
react-scripts	3.4.0...5.0.0	None	`+723/-974`	86.2 MB	iansu

socket-security · 2023-07-05T05:19:21Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Bidirectional unicode control characters	entities	2.2.0	Location: lib/maps/entities.json	react-scripts@5.0.0 via `package.json`
Zero width unicode chars	entities	2.2.0	Location: lib/maps/entities.json +4 more instances...	react-scripts@5.0.0 via `package.json`
Bidirectional unicode control characters	html-entities	2.4.0	Location: lib/named-references.js +3 more instances...	react-scripts@5.0.0 via `package.json`
Zero width unicode chars	html-entities	2.4.0	Location: lib/named-references.js +5 more instances...	react-scripts@5.0.0 via `package.json`
Bidirectional unicode control characters	jiti	1.19.1	Location: dist/babel.js	react-scripts@5.0.0 via `package.json`
Debug access	jiti	1.19.1	Module: vm Location: dist/jiti.js +4 more instances...	react-scripts@5.0.0 via `package.json`
Environment variable access	jiti	1.19.1	Env Vars: Location: dist/jiti.js +30 more instances...	react-scripts@5.0.0 via `package.json`
Filesystem access	jiti	1.19.1	Module: fs Location: dist/jiti.js +1 more instances...	react-scripts@5.0.0 via `package.json`
High entropy strings	jiti	1.19.1	Location: dist/jiti.js +1 more instances...	react-scripts@5.0.0 via `package.json`
Long strings	jiti	1.19.1	Location: dist/jiti.js	react-scripts@5.0.0 via `package.json`
Minified code	jiti	1.19.1	Confidence: 1.00 Location: dist/jiti.js	react-scripts@5.0.0 via `package.json`
No contributors or author data	jiti	1.19.1	Location: package.json	react-scripts@5.0.0 via `package.json`
URL strings	jiti	1.19.1	URL: https://github.com/type Blob Management puleos/object-hash#26 Location: dist/jiti.js +1 more instances...	react-scripts@5.0.0 via `package.json`
Bidirectional unicode control characters	react-error-overlay	6.0.11	Location: lib/index.js +7 more instances...	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	react-error-overlay	6.0.11	Previous Chronological: react-error-overlay@6.1.0-next.14 (4/12/2022, 5:13:10 PM) Previous Semver: react-error-overlay@6.0.10 (12/14/2021, 3:54:01 PM)	react-scripts@5.0.0 via `package.json`
Zero width unicode chars	react-error-overlay	6.0.11	Location: lib/index.js +11 more instances...	react-scripts@5.0.0 via `package.json`
Bin script confusion	@nicolo-ribaudo/semver-v6	6.3.3	Bin Script: semver	react-scripts@5.0.0 via `package.json`
No contributors or author data	@nicolo-ribaudo/semver-v6	6.3.3	Location: package.json	react-scripts@5.0.0 via `package.json`
URL strings	@nicolo-ribaudo/semver-v6	6.3.3	URL: https://semver.org/ Location: bin/semver.js	react-scripts@5.0.0 via `package.json`
Bin script confusion	semver	7.5.3	Bin Script: semver	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	babel-plugin-named-asset-import	0.3.8	Previous Chronological: babel-plugin-named-asset-import@1.0.0-next.104 (12/14/2021, 6:10:36 AM) Previous Semver: babel-plugin-named-asset-import@0.3.7 (10/23/2020, 2:40:46 PM)	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	loader-utils	3.2.1	Previous Chronological: loader-utils@1.4.1 (11/7/2022, 8:42:52 PM) Previous Semver: loader-utils@3.2.0 (11/11/2021, 3:42:51 PM)	react-scripts@5.0.0 via `package.json`
Long strings	loader-utils	3.2.1	Location: lib/hash/md4.js +1 more instances...	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	loader-utils	2.0.4	Previous Chronological: loader-utils@3.2.1 (11/11/2022, 12:25:48 AM) Previous Semver: loader-utils@2.0.3 (10/20/2022, 8:00:23 PM)	react-scripts@5.0.0 via `package.json`
Long strings	loader-utils	2.0.4	Location: lib/hash/md4.js	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	strip-ansi	7.1.0	Previous Chronological: strip-ansi@6.0.1 (9/23/2021, 4:34:41 PM) Previous Semver: strip-ansi@7.0.1 (9/11/2021, 8:50:46 AM)	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	strip-ansi	6.0.1	Previous Chronological: strip-ansi@7.0.1 (9/11/2021, 8:50:46 AM) Previous Semver: strip-ansi@6.0.0 (11/9/2019, 6:20:36 AM)	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	ws	7.5.9	Previous Chronological: ws@8.8.0 (6/9/2022, 7:00:36 PM) Previous Semver: ws@7.5.8 (5/26/2022, 5:29:59 PM)	react-scripts@5.0.0 via `package.json`
Environment variable access	ws	8.13.0	Env Vars: Location: lib/buffer-util.js +3 more instances...	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	minimatch	5.1.6	Previous Chronological: minimatch@6.1.4 (1/17/2023, 5:46:31 PM) Previous Semver: minimatch@5.1.5 (1/17/2023, 3:04:11 PM)	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	minimatch	3.1.2	Previous Chronological: minimatch@5.0.0 (2/15/2022, 4:50:03 PM) Previous Semver: minimatch@3.1.1 (2/13/2022, 4:01:44 AM)	eslint@6.8.0, eslint-config-react-app@5.2.0, react-scripts@5.0.0, release-it@12.6.1 via `package.json`
Chronological version anomaly	@sinonjs/commons	1.8.6	Previous Chronological: @sinonjs/commons@2.0.0 (11/7/2022, 4:50:09 PM) Previous Semver: @sinonjs/commons@1.8.5 (11/7/2022, 4:44:52 PM)	react-scripts@5.0.0 via `package.json`
No contributors or author data	@sinonjs/commons	1.8.6	Location: package.json	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	send	0.18.0	Previous Chronological: send@1.0.0-beta.1 (2/5/2022, 4:57:40 AM) Previous Semver: send@0.17.2 (12/12/2021, 1:18:25 AM)	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	react-is	18.2.0	Previous Chronological: react-is@0.0.0-experimental-be229c565-20220613 (6/14/2022, 4:14:08 PM) Previous Semver: react-is@18.2.0-next-f7b44539c-20220610 (6/10/2022, 4:12:26 PM)	react-scripts@5.0.0 via `package.json`
New author	react-is	18.2.0	New Author: gnoff Previous Author: acdlite	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	react-is	16.13.1	Previous Chronological: react-is@0.0.0-da834083c (3/19/2020, 7:45:03 PM) Previous Semver: react-is@16.13.0 (2/26/2020, 8:20:11 PM)	eslint-config-react-app@5.2.0, react@16.12.0, react-dom@16.12.0, react-scripts@5.0.0 via `package.json`
Chronological version anomaly	react-is	17.0.2	Previous Chronological: react-is@0.0.0-12adaffef (3/22/2021, 9:34:56 PM) Previous Semver: react-is@17.0.1 (10/22/2020, 12:22:04 PM)	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	react-refresh	0.11.0	Previous Chronological: react-refresh@0.0.0-experimental-327d5c484-20211106 (11/8/2021, 4:14:39 PM) Previous Semver: react-refresh@0.11.0-alpha-fd5e01c2e-20210913 (9/13/2021, 9:34:26 PM)	react-scripts@5.0.0 via `package.json`
Environment variable access	react-refresh	0.11.0	Env Vars: Location: babel.js +5 more instances...	react-scripts@5.0.0 via `package.json`
No contributors or author data	react-refresh	0.11.0	Location: package.json	react-scripts@5.0.0 via `package.json`
No tests	react-refresh	0.11.0	Location: package.json	react-scripts@5.0.0 via `package.json`
No v1	react-refresh	0.11.0	Location: Package overview	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	tsconfig-paths	3.14.2	Previous Chronological: tsconfig-paths@4.1.2 (1/1/2023, 11:31:55 PM) Previous Semver: tsconfig-paths@3.14.1 (3/22/2022, 7:07:02 PM)	eslint-config-react-app@5.2.0, react-scripts@5.0.0 via `package.json`
Debug access	tsconfig-paths	3.14.2	Module: module Location: lib/register.js	eslint-config-react-app@5.2.0, react-scripts@5.0.0 via `package.json`
Dynamic require	tsconfig-paths	3.14.2	Location: lib/filesystem.js	eslint-config-react-app@5.2.0, react-scripts@5.0.0 via `package.json`
Environment variable access	tsconfig-paths	3.14.2	Env Vars: Location: lib/config-loader.js +1 more instances...	eslint-config-react-app@5.2.0, react-scripts@5.0.0 via `package.json`
Filesystem access	tsconfig-paths	3.14.2	Module: fs Location: lib/filesystem.js +1 more instances...	eslint-config-react-app@5.2.0, react-scripts@5.0.0 via `package.json`
Chronological version anomaly	resolve-url-loader	4.0.0	Previous Chronological: resolve-url-loader@3.1.3 (5/1/2021, 9:38:40 AM) Previous Semver: resolve-url-loader@4.0.0-beta.2 (4/30/2021, 10:51:26 AM)	react-scripts@5.0.0 via `package.json`
Dynamic require	resolve-url-loader	4.0.0	Location: lib/engine/rework.js	react-scripts@5.0.0 via `package.json`
No tests	resolve-url-loader	4.0.0	Location: package.json	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	minimist	1.2.8	Previous Chronological: minimist@0.2.3 (2/9/2023, 8:11:17 PM) Previous Semver: minimist@1.2.7 (10/11/2022, 1:21:52 AM)	eslint-config-react-app@5.2.0, react-scripts@5.0.0, release-it@12.6.1 via `package.json`
Chronological version anomaly	schema-utils	4.2.0	Previous Chronological: schema-utils@3.2.0 (6/7/2023, 10:25:11 PM) Previous Semver: schema-utils@4.1.0 (6/7/2023, 10:22:21 PM)	react-scripts@5.0.0 via `package.json`
Environment variable access	schema-utils	4.2.0	Env Vars: Location: dist/validate.js +10 more instances...	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	schema-utils	3.3.0	Previous Chronological: schema-utils@4.2.0 (6/14/2023, 2:25:16 PM) Previous Semver: schema-utils@3.2.0 (6/7/2023, 10:25:11 PM)	react-scripts@5.0.0 via `package.json`
Environment variable access	schema-utils	3.3.0	Env Vars: Location: dist/validate.js +10 more instances...	react-scripts@5.0.0 via `package.json`
Chronological version anomaly	@babel/code-frame	7.22.5	Previous Chronological: @babel/code-frame@7.21.4-esm.4 (4/4/2023, 3:13:27 PM) Previous Semver: @babel/code-frame@7.21.4 (3/31/2023, 9:01:51 AM)	eslint@6.8.0, eslint-config-react-app@5.2.0, react-scripts@5.0.0 via `package.json`
Chronological version anomaly

guardrails · 2023-07-05T05:26:40Z

⚠️ We detected 68 security issues in this pull request:

Vulnerable Libraries (68)

Severity	Details
High	pkg:npm/acorn@5.7.3 (t) upgrade to: 5.7.4,6.4.1,7.1.1
High	pkg:npm/ansi-regex@3.0.0 (t) upgrade to: 6.0.1,5.0.1,4.1.1,3.0.1
Medium	pkg:npm/ws@6.2.1 (t) upgrade to: 7.4.6,6.2.2,5.2.3
High	pkg:npm/css-what@2.1.3 (t) - no patch available
High	pkg:npm/css-what@3.2.1 (t) - no patch available
High	pkg:npm/json-stable-stringify@1.0.1 (t) - no patch available
High	pkg:npm/is-svg@3.0.0 (t) upgrade to: 4.2.2
High	pkg:npm/minimist@0.0.8 (t) - no patch available
Medium	pkg:npm/sockjs@0.3.19 (t) upgrade to: 0.3.20
High	pkg:npm/minimatch@3.0.4 (t) upgrade to: 3.0.5
Medium	pkg:npm/dns-packet@1.3.1 (t) - no patch available
Critical	pkg:npm/unset-value@1.0.0 (t) - no patch available
Critical	pkg:npm/execa@1.0.0 (t) - no patch available
Low	pkg:npm/request@2.88.2 (t) - no patch available
Medium	pkg:npm/node-notifier@5.4.3 (t) upgrade to: 8.0.1
N/A	pkg:npm/yargs-parser@13.1.1 (t) - no patch available
High	pkg:npm/node-addon-api@2.0.0 (t) - no patch available
High	pkg:npm/flat@4.1.0 (t) - no patch available
Medium	pkg:npm/browserslist@4.8.6 (t) upgrade to: 4.16.5
High	pkg:npm/ssri@6.0.1 (t) upgrade to: 6.0.2,7.1.1,8.0.1
Critical	pkg:npm/express@4.17.1 (t) - no patch available
High	pkg:npm/tmpl@1.0.4 (t) upgrade to: 1.0.5
Medium	pkg:npm/core-js@2.6.11 (t) - no patch available
Medium	pkg:npm/core-js@3.6.4 (t) - no patch available
Critical	pkg:npm/shell-quote@1.7.2 (t) upgrade to: 1.7.3
High	pkg:npm/async@2.6.3 (t) upgrade to: 3.2.2,2.6.4
Medium	pkg:npm/istanbul-reports@2.2.7 (t) - no patch available
High	pkg:npm/json5@1.0.1 (t) upgrade to: 2.2.2
Medium	pkg:npm/browserslist@4.8.7 (t) upgrade to: 4.16.5
Critical	pkg:npm/parse-path@4.0.1 (t) - no patch available
N/A	pkg:npm/normalize-url@4.5.0 (t) - no patch available
Critical	pkg:npm/qs@6.7.0 (t) - no patch available
High	pkg:npm/merge-deep@3.0.2 (t) - no patch available
Critical	pkg:npm/eventsource@1.0.7 (t) upgrade to: 1.1.1,2.0.2
High	pkg:npm/http-cache-semantics@4.0.4 (t) upgrade to: 4.1.1,4.1.1
Medium	pkg:npm/jsdom@14.1.0 (t) upgrade to: 16.5.0
High	pkg:npm/json5@2.1.1 (t) upgrade to: 2.2.2
High	pkg:npm/clean-css@4.2.3 (t) - no patch available
High	pkg:npm/ssri@7.1.0 (t) upgrade to: 6.0.2,7.1.1,8.0.1
High	pkg:npm/ansi-regex@4.1.0 (t) upgrade to: 6.0.1,5.0.1,4.1.1,3.0.1
N/A	pkg:npm/yargs-parser@17.0.0 (t) - no patch available
Medium	pkg:npm/ajv@6.12.0 (t) upgrade to: 6.12.3
High	pkg:npm/acorn@6.4.0 (t) upgrade to: 5.7.4,6.4.1,7.1.1
Medium	pkg:npm/got@9.6.0 (t) - no patch available
Medium	pkg:npm/git-up@4.0.1 (t) - no patch available
N/A	pkg:npm/debug@2.6.9 (t) upgrade to: 3.1.0
High	pkg:npm/y18n@4.0.0 (t) upgrade to: 3.2.2,4.0.1,5.0.5
High	pkg:npm/nth-check@1.0.2 (t) upgrade to: 2.0.1
High	pkg:npm/cacheable-request@6.1.0 (t) upgrade to: 10.2.7
Medium	pkg:npm/ws@5.2.2 (t) upgrade to: 7.4.6,6.2.2,5.2.3
High	pkg:npm/decode-uri-component@0.2.0 (t) - no patch available
High	pkg:npm/glob-parent@3.1.0 (t) upgrade to: 5.1.2
Critical	pkg:npm/loader-utils@1.2.3 (t) upgrade to: 2.0.3
N/A	pkg:npm/immer@1.10.0 (t) upgrade to: 8.0.1
Medium	pkg:npm/node-fetch@2.6.0 (t) - no patch available
High	pkg:npm/postcss@7.0.21 (t) - no patch available
High	pkg:npm/postcss@7.0.27 (t) - no patch available
High	pkg:npm/shelljs@0.8.3 (t) upgrade to: 0.8.5
Critical	pkg:npm/lodash@4.17.15 (t) - no patch available
High	pkg:npm/react-dev-utils@10.2.0 (t) - no patch available
N/A	pkg:npm/acorn@7.1.0 (t) - no patch available
High	pkg:npm/http-proxy@1.18.0 (t) - no patch available
N/A	pkg:npm/ansi-html@0.0.7 (t) - no patch available
N/A	pkg:npm/hosted-git-info@2.8.5 (t) - no patch available
Critical	pkg:npm/qs@6.5.2 (t) - no patch available
High	pkg:npm/path-parse@1.0.6 (t) - no patch available
N/A	pkg:npm/node-forge@0.9.0 (t) upgrade to: 0.10.0
Medium	pkg:npm/serialize-javascript@2.1.2 (t) - no patch available

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

fix: package.json & package-lock.json to reduce vulnerabilities

1bc6b36

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade react-scripts from 3.4.0 to 5.0.0 #12

[Snyk] Security upgrade react-scripts from 3.4.0 to 5.0.0 #12

naiba4 commented Jul 5, 2023

socket-security bot commented Jul 5, 2023

socket-security bot commented Jul 5, 2023

guardrails bot commented Jul 5, 2023

[Snyk] Security upgrade react-scripts from 3.4.0 to 5.0.0 #12

Are you sure you want to change the base?

[Snyk] Security upgrade react-scripts from 3.4.0 to 5.0.0 #12

Conversation

naiba4 commented Jul 5, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

socket-security bot commented Jul 5, 2023

socket-security bot commented Jul 5, 2023

guardrails bot commented Jul 5, 2023