Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to fix npm package braces issue with react-scripts v2.1.5 when npm audit does nothing?

My NPM package in my react client folder is giving me 63 low vulnerabilities all dealing with the braces package mainly in the jest folder of the react-scripts package of version 2.1.5. NPM Audit fix doesn't work, what do I do?

I've tried downgrading to previous versions of react-scripts, updating braces either through updating the package.json, deleting the package lock, and running npm install again, or running npm update braces, but nothing has worked after 2 hours of fiddling. I've also tried to revert to a previous version of my Github package.json when it was working. I believe it stopped working after I tried to download firebase-ui, but I think it has to do with updating the packages since I've deleted the node modules and npm installing several times.

Here's what my clean package.json that's messing up.

"webpack-dev-server": "3.1.14",
"@babel/core": "*",
"axios": "*",
"body-parser": "*",
"bootstrap": "*",
"cors": "*",
"dotenv": "*",
"draft-js": "*",
"draft-js-export-html": "*",
"errorhandler": "*",
"express": "*",
"express-session": "*",
"history": "*",
"jquery": "*",
"moment": "*",
"mongoose": "*",
"morgan": "*",
"node-sass-chokidar": "*",
"npm-run-all": "*",
"path": "*",
"query-string": "*",
"react": "*",
"react-dom": "*",
"react-loadable": "*",
"react-redux": "*",
"react-router-dom": "*",
"react-router-redux": "*",
"react-scripts": "*",
"react-validation": "*",
"reactstrap": "*",
"recharts": "*",
"redux": "*",
"redux-logger": "*",
"redux-observable": "*",
"redux-thunk": "*",
"rxjs": "*",
"rxjs-compat": "*",
"validator": "*"

And here's the issue I'm getting:

Low Regular Expression Denial of Service

Package braces

Dependency of react-scripts

Path react-scripts > jest > jest-cli > micromatch > braces

More info https://nodesecurity.io/advisories/786

like image 682
CrumrineCoder Avatar asked Feb 17 '19 14:02

CrumrineCoder


People also ask

How do I fix vulnerability in npm?

If security vulnerabilities are found and updates are available, you can either: Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies. Run the recommended commands individually to install updates to vulnerable dependencies.

How does npm audit fix work?

The npm audit fix command will exit with 0 exit code if no vulnerabilities are found or if the remediation is able to successfully fix all vulnerabilities. If vulnerabilities were found the exit code will depend on the audit-level configuration setting.

What is audit in npm?

npm audit is a new command that performs a moment-in-time security review of your project's dependency tree. Audit reports contain information about security vulnerabilities in your dependencies and can help you fix a vulnerability by providing simple-to-run npm commands and recommendations for further troubleshooting.


2 Answers

I ran npm install [email protected] and then npm update

That still resulted in the 63 vulnerabilities but it did bring my braces to the current version. So I went through and updated ALL references of braces in the package-lock.json to 2.3.2. I then ran npm update again and when I ran npm audit the vulnerabilities were gone.

like image 157
jeffdstephens Avatar answered Sep 27 '22 18:09

jeffdstephens


I was able to resolve similar issue with resolutions field followed by yarn install -

  "resolutions": {
    "braces": "= 2.3.1"
  }

I've inspected yarn.lock and verified that only relevant dependency was updated.

There is more on the topic here - https://github.com/yarnpkg/yarn/issues/4986.

like image 41
Anton Avatar answered Sep 27 '22 18:09

Anton