3

I create a new app using create-react-app 1 month ago and recently I got this message from npm update:

80 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

npm audit gives me:

postcss  7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install react-scripts@2.1.8, which is a breaking change

I try npm audit fix but nothing changes and npm audit fix --force install an older version of react-script (current 4.0.3 to 2.1.8) so it doesn't seem like a good solution.

npm install postcss@latest --save and npm install postcss@8.2.15 --save doesn't change anything either.

What is the best way to fix this vulnerability?

Ditiz
  • 171
  • 2
  • 12

2 Answers2

2

This problem has been answered here: https://stackoverflow.com/a/67502823/8499653

the support for postcss 8 is already merged and probably will be released soon

you can use the npm package npm-force-resolutions to temporarily fix this issue

Ditiz
  • 171
  • 2
  • 12
0

I lost half a day to this, all the NPM based solutions & packages didn't work. force-resolutions wasn't working for me.

Switching to Yarn makes this far simpler.

rm -rf ./node_modules 
rm ./package-lock.json

edit your package.json :
add any other package versions to upgrade from npm / yarn audit here also

  "resolutions": 
  {
    "postcss": "^8.2.10"
  },

yarn install then running yarn audit should yield the magic words:

0 vulnerabilities found - Packages audited: 999
✨  Done in 1.10s.
lys
  • 949
  • 2
  • 9
  • 33