Menu
I am starting a new react project, and I just installed the very basic package (npx create-react-app) without anything else. When I run the audit, I get the following low vulnerability:
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > webpack-dev-server > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 1896 scanned packages
1 vulnerability requires manual review. See the full report for details.
I tried google and looked anywhere for a way to fix this, I reinstalled the yargs-parser package without success, and tried reinstall the project several times.
Any help would be highly appreciated.
774
Prototype pollution is an injection attack that targets JavaScript runtimes. With prototype pollution, an attacker might control the default values of an object's properties.
Prototype Pollution is a vulnerability that allows attackers to exploit the rules of the JavaScript programming language, by injecting properties into existing JavaScript language construct prototypes, such as Objects to compromise applications in various ways.
Right now there isn't an immediate fix. yargs-parser has breaking changes in the versions that have been released since the one pinned in react-scripts. We are waiting on the react-scripts to be updated in order to address this warning.
It is worth noting that this isn't a "serious" vulnerability and should only affect dev environments. It is fixed in the latest yargs-parser but I wouldn't lose sleep over a low risk vulnerability. They happen from time to time and the community is usually quite good at patching them out.
You can watch the progress of this issue or (depending on your skill level) contribute to the fix here: https://github.com/facebook/create-react-app/issues/8529
103
We need to add this too:
"scripts": { "preinstall": "npx npm-force-resolutions" }
Then on your package.json add:
"resolutions": { "yargs-parser": "^13.1.2" }
Finally run below commond on your terminal:
rm -r node_modules
npm install
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
