[Snyk] Security upgrade react-scripts from 2.0.5 to 3.1.0#14
[Snyk] Security upgrade react-scripts from 2.0.5 to 3.1.0#14
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TERSER-2806366
![jit-ci[bot]](https://avatars.githubusercontent.com/in/142441?s=60&v=4){kind=small}
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "react-scripts": "2.0.5" | ||
| "react-scripts": "3.1.0" |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Prototype Pollution In Object-Path
Description: react-scripts>resolve-url-loader>adjust-sourcemap-loader>object-path@0.11.4
Severity: MEDIUM
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_findingIgnore this specific single instance of finding#jit_undo_ignoreUndo ignore command
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "react-scripts": "2.0.5" | ||
| "react-scripts": "3.1.0" |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Prototype Pollution In Immer
Description: react-scripts>react-dev-utils>immer@1.10.0
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_findingIgnore this specific single instance of finding#jit_undo_ignoreUndo ignore command
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "react-scripts": "2.0.5" | ||
| "react-scripts": "3.1.0" |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Prototype Pollution In Object-Path
Description: react-scripts>resolve-url-loader>adjust-sourcemap-loader>object-path@0.11.4
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_findingIgnore this specific single instance of finding#jit_undo_ignoreUndo ignore command
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "react-scripts": "2.0.5" | ||
| "react-scripts": "3.1.0" |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Cross-Site Scripting In Serialize-Javascript
Description: _Paths from library to vulnerable dependencies:
- react-scripts>terser-webpack-plugin>serialize-javascript@1.9.1
- react-scripts>webpack>terser-webpack-plugin>serialize-javascript@1.9.1_
Severity: MEDIUM
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_findingIgnore this specific single instance of finding#jit_undo_ignoreUndo ignore command
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "react-scripts": "2.0.5" | ||
| "react-scripts": "3.1.0" |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Improper Input Validation In Socksjs-Node
Description: react-scripts>webpack-dev-server>sockjs@0.3.19
Severity: MEDIUM
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_findingIgnore this specific single instance of finding#jit_undo_ignoreUndo ignore command
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "react-scripts": "2.0.5" | ||
| "react-scripts": "3.1.0" |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Prototype Pollution In Node-Forge Debug Api.
Description: react-scripts>webpack-dev-server>selfsigned>node-forge@0.10.0
Severity: LOW
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_findingIgnore this specific single instance of finding#jit_undo_ignoreUndo ignore command
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "react-scripts": "2.0.5" | ||
| "react-scripts": "3.1.0" |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Inefficient Regular Expression Complexity In Nth-Check
Description: _Paths from library to vulnerable dependencies:
- react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check@1.0.2
- react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>nth-check@1.0.2_
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_findingIgnore this specific single instance of finding#jit_undo_ignoreUndo ignore command
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "react-scripts": "2.0.5" | ||
| "react-scripts": "3.1.0" |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Uncontrolled Resource Consumption In Ansi-Html
Description: react-scripts>webpack-dev-server>ansi-html@0.0.7
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_findingIgnore this specific single instance of finding#jit_undo_ignoreUndo ignore command
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "react-scripts": "2.0.5" | ||
| "react-scripts": "3.1.0" |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Improper Verification Of Cryptographic Signature In Node-Forge
Description: react-scripts>webpack-dev-server>selfsigned>node-forge@0.10.0
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_findingIgnore this specific single instance of finding#jit_undo_ignoreUndo ignore command
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "react-scripts": "2.0.5" | ||
| "react-scripts": "3.1.0" |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service In Postcss
Description: react-scripts>resolve-url-loader>postcss@7.0.14
Severity: MEDIUM
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_findingIgnore this specific single instance of finding#jit_undo_ignoreUndo ignore command
2 participants
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Recently disclosed, Has a fix available, CVSS 5.3
SNYK-JS-TERSER-2806366
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.