1

=== npm audit security report ===

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance

Moderate Inefficient Regular Expression Complexity in nth-check

Package nth-check

Patched in >=2.0.1

Dependency of react-scripts

Path react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo >
css-select > nth-check

More info https://github.com/advisories/GHSA-rp65-9cf3-cjxr

Moderate Regular Expression Denial of Service in postcss

Package postcss

Patched in >=8.2.13
Dependency of react-scripts

Path react-scripts > resolve-url-loader > postcss

More info https://github.com/advisories/GHSA-566m-qj78-rww5

found 2 moderate severity vulnerabilities in 1398 scanned packages 2 vulnerabilities require manual review. See the full report for details.

DIVAN AFTAB
  • 19
  • 5

1 Answers1

0

Ok basically, it's very simple :)

as far as I am concerned, I only have one moderate vulnerability. But solution should work for the both of them!

I am going to explain as clear as possible with the nth-check problem.

all these problems come from packages that could have a potential problem that, I assume, can vary depending on the package. If you want to have a look for fun, here is the nth-check package on npm

https://www.npmjs.com/package/nth-check

If you have a look on the link above, you'll see that... surprise, the current version is 2.0.1. And that's pretty cool, because the error message you get says that the problem coming from that package has been fixed in that very same version.

So, I would personally recommend to use yarn first. But everybody has their own preferences! to do so, can type

npm install --global yarn

after that you could remove your package-lock file and run following command in the folder of your app of course

yarn

(such a surprise.) This will generate a yarn.lock file. Note that you should avoid using yarn and npm at the same time !

In that very same yarn.lock file, you will have to search for nth-check string! In a brand new react app (so far), you should find 8 occurrences of that string. This string will be set next to a package version. That's what you want to change.

In my case, I have for example

nth-check@^1.0.2: //so far. This version can be different for an older projet.
  version "1.0.2"
  resolved "https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz"

You want top change all those wrong versions. It should look like this :

nth-check@^2.0.1:
  version "2.0.1"
  resolved "https://registry.npmjs.org/nth-check/-/nth-check-2.0.1.tgz"

If you save the file, launche a simple

yarn

command followed by a

yarn audit

It SHOULD fix one of your problems!

For the second one,I would do the exact same thing. But I would also look for a more specific string. something like "postcss@" to help you out narrow your possibilities down!

Hope this was helpfull. Cheers!

LoveriusB
  • 418
  • 4
  • 11