Menu
I created a React project using npx create-react-app my-app command. I then tested the project using npm start. When I commit the project to Github, I get a security advisory in the project page.
serialize-javascript vulnerability found in yarn.lock
**Remediation**
Upgrade serialize-javascript to version 2.1.1 or later.
I do not have the serialize-javascript dependency in my package.json file. Here is the project in Github - https://github.com/shankarps/ReactPracticeProject/
How can i fix this error?
How can i ensure that the latest dependencies are included in the project when it is created?
223
This GitHub issue has a pretty good conversation on this: https://github.com/yarnpkg/yarn/issues/4986
"The workaround of adding sub-dep A as a direct dep just to fix a security issue is worse because it creates confusion (the package is not used directly) as well as a maintenance burden." - kumar303
As a couple others have suggested, adding a resolutions field to your package.json file might be more ideal. "resolutions": { "serialize-javascript": "^2.1.1" }
168
I had the same issue Reported by GitHub for my React app created by npx create-react-app:
Here is what I did to resolve this security alert for serialize-javascript to do with yarn.lock.
yarn add serialize-javascript
And then git commit and push the changes of package.json and yarn.lock to GitHub. As a result, the alert was gone.
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
