Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

browserlist Security Vulnerability #11077

Closed
zpeterson opened this issue Jun 8, 2021 · 6 comments
Closed

browserlist Security Vulnerability #11077

zpeterson opened this issue Jun 8, 2021 · 6 comments
Labels
issue: bug report needs triage

Comments

@zpeterson
Copy link

Your dependency on browserslist v4.14.2 is vulnerable and needs to be updated here: react-dev-utils/package.json#L57.
@zpeterson zpeterson mentioned this issue Jun 8, 2021
Closed
@ohhyunjin
Copy link

ohhyunjin commented Jun 8, 2021
edited

Not sure if I can mention this here, but there's also a vulnerability issue I'm getting in a project, which is with postcss dependency in react-scripts and Github Dependabot is telling me to upgrade to v8.2.10 or later

UPDATE
After a few days, today, I got another alert now with another dependency: normalize-url and it won't let me update to a non-vulnerable version due to conflicting dependencies with react-scripts. Screenshot attached below.
Screen Shot 2021-06-12 at 9 13 01

@thisKeeWord
Copy link

^ likewise

@ohhyunjin
Copy link

Any updates on this issue? I keep getting vulnerability alerts in my repo.

@croraf
Copy link

croraf commented Jun 21, 2021
edited

Can this be closed in favor of: #11012 ?

@stahlmanDesign stahlmanDesign mentioned this issue Jun 21, 2021
Open
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

@gaearon gaearon closed this as completed Jul 2, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 2, 2021
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

Please see #11174.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gaearon @ohhyunjin @thisKeeWord @croraf @zpeterson