Menu
My NPM package in my react client folder is giving me 63 low vulnerabilities all dealing with the braces package mainly in the jest folder of the react-scripts package of version 2.1.5. NPM Audit fix doesn't work, what do I do?
I've tried downgrading to previous versions of react-scripts, updating braces either through updating the package.json, deleting the package lock, and running npm install again, or running npm update braces, but nothing has worked after 2 hours of fiddling. I've also tried to revert to a previous version of my Github package.json when it was working. I believe it stopped working after I tried to download firebase-ui, but I think it has to do with updating the packages since I've deleted the node modules and npm installing several times.
Here's what my clean package.json that's messing up.
"webpack-dev-server": "3.1.14",
"@babel/core": "*",
"axios": "*",
"body-parser": "*",
"bootstrap": "*",
"cors": "*",
"dotenv": "*",
"draft-js": "*",
"draft-js-export-html": "*",
"errorhandler": "*",
"express": "*",
"express-session": "*",
"history": "*",
"jquery": "*",
"moment": "*",
"mongoose": "*",
"morgan": "*",
"node-sass-chokidar": "*",
"npm-run-all": "*",
"path": "*",
"query-string": "*",
"react": "*",
"react-dom": "*",
"react-loadable": "*",
"react-redux": "*",
"react-router-dom": "*",
"react-router-redux": "*",
"react-scripts": "*",
"react-validation": "*",
"reactstrap": "*",
"recharts": "*",
"redux": "*",
"redux-logger": "*",
"redux-observable": "*",
"redux-thunk": "*",
"rxjs": "*",
"rxjs-compat": "*",
"validator": "*"
And here's the issue I'm getting:
Low Regular Expression Denial of Service
Package braces
Dependency of react-scripts
Path react-scripts > jest > jest-cli > micromatch > braces
More info https://nodesecurity.io/advisories/786
682
If security vulnerabilities are found and updates are available, you can either: Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies. Run the recommended commands individually to install updates to vulnerable dependencies.
The npm audit fix command will exit with 0 exit code if no vulnerabilities are found or if the remediation is able to successfully fix all vulnerabilities. If vulnerabilities were found the exit code will depend on the audit-level configuration setting.
npm audit is a new command that performs a moment-in-time security review of your project's dependency tree. Audit reports contain information about security vulnerabilities in your dependencies and can help you fix a vulnerability by providing simple-to-run npm commands and recommendations for further troubleshooting.
I ran npm install [email protected] and then npm update
That still resulted in the 63 vulnerabilities but it did bring my braces to the current version. So I went through and updated ALL references of braces in the package-lock.json to 2.3.2. I then ran npm update again and when I ran npm audit the vulnerabilities were gone.
157
I was able to resolve similar issue with resolutions field followed by yarn install -
"resolutions": {
"braces": "= 2.3.1"
}
I've inspected yarn.lock and verified that only relevant dependency was updated.
There is more on the topic here - https://github.com/yarnpkg/yarn/issues/4986.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
