css-what version dependency causing Denial of Service vulnerabilities

[shonb6570]

Describe the bug

As the title says, I am getting multiple (2) Denial of Service vulnerabilities due to the css-what dependency version (^3.2.1) , which is patched in >=5.0.1. Forgive me if this is a known issue, this is my first time reporting.

Did you try recovering your dependencies?

Yes. 6.14.10.

Which terms did you search for in User Guide?

I spent some time looking for this specific issue (although not in the user guide).

Environment

Environment Info:

current version of create-react-app: 3.4.1
running from C:\Users\ShaunBolak\AppData\Roaming\npm\node_modules\create-react-app

System:
OS: Windows 10 10.0.19041
CPU: (4) x64 Intel(R) Core(TM) i5-6600K CPU @ 3.50GHz
Binaries:
Node: 14.15.4 - C:\Program Files\nodejs\node.EXE
Yarn: Not Found
npm: 6.14.10 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: 44.19041.964.0
Internet Explorer: 11.0.19041.1
npmPackages:
react: ^17.0.2 => 17.0.2
react-dom: ^17.0.2 => 17.0.2
react-scripts: ^4.0.3 => 4.0.3
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

1. Appears as vulnerability notice after NPM install.
2. Produces 2 High vulnerabilities due to what-css version in css-select not being >=5.0.1.
3. 82 other moderate vulnerabilities are also produced which are related to react-scripts.
4. npm uninstall react-scrtipts reduces vulnerabilities to zero.

Expected behavior

No vulnerabilities, or a way to patch them myself...?

Actual behavior

Screenshot of vulnerabilities attached. npm audit fix results does not resolve any of the vulnerabilities.

Reproducible demo

shonb6570/shaun-bolak-design-5-2021@530a504

Thank you^^

[jacobbroughton]

Same issue. Npm audit cuts the amount in half on the first run to 47 moderate issues, then if I run it again, all 96 issues show again...

[r21meghashyam]

For react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > css-select > css-what there is a PR on @svgr/plugin-svgo to update it. Urge contributors to watch out for updates.

For react-scripts > optimize-css-assets-webpack-plugin > cssnano > cssnano-preset-default > postcss-svgo > svgo > css-select > css-what, the author of optimize-css-assets-webpack-plugin has already updated to the right version, update optimize-css-assets-webpack-plugin to 5.0.6 to resolve the issue.

[stahlmanDesign]

Today I saw npm audit fix patched dozens of moderate vulnerabilities, but 4 "high" vulnerabilities remain in react-scripts dependencies.

[ArutanSipdrae]

I also got a lot of vulnerabilities fixed today, but react-scripts still give me 4 moderates (postcss, browserslist, glob-parent x2) and 4 high (css-what x2, normalize-url x2)

[sindhurameduri]

React-scripts still giving me 1 critical (ejs) and 5 high (css-what x2, normalize-url x2, glob-parent), any suggestions to resolve these

[wshihdehx]

I'm also getting the same 4 vulnerabilities, any fix?

[gaearon]

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

[gaearon]

Please see #11174.