-
-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High vulnerability ReDoS in normalize-url #11054
Comments
Many are facing this exact issue. |
Update two packages that used a highly vulnerable version of normalize-url See facebook/create-react-app#11054
Update two packages that used a highly vulnerable version of normalize-url See facebook/create-react-app#11054
There are a few npm warnings remaining but they rely on other packages to update like React: facebook/create-react-app#11054 For now, I've switched the build to use Yarn which allows us to use resolutions to include the newer versions of these insecure packages. The end result is that npm will still say there are fixes required, but the actual packages being used to build this package are the fixed versions.
Related issue #11012 |
Update two packages that used a highly vulnerable version of normalize-url See facebook/create-react-app#11054 (cherry picked from commit 70bf1b1)
Update two packages that used a highly vulnerable version of normalize-url See facebook/create-react-app#11054 (cherry picked from commit 70bf1b1) (cherry picked from commit b578120)
These warnings are false positives. There are no actual vulnerabilities affecting your app here. To fix I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings. If you want to discuss this, please comment in #11102. |
Please see #11174. |
There is a Regular Expression Denial of Service (ReDoS) vulnerability in the normalize-url dependency.
This is the dependency tree:
react-components@0.1.0 › react-scripts@4.0.3 › mini-css-extract-plugin@0.11.3 › normalize-url@1.9.1
react-components@0.1.0 › react-scripts@4.0.3 › optimize-css-assets-webpack-plugin@5.0.4 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-normalize-url@4.0.1 › normalize-url@3.3.0
The vulnerability has been fixed in normalize-url versions:
6.0.1
,5.3.1
and4.5.1
1.6.0
) ofmini-css-extract-plugin
doesn't have a dependency onnormalize-url
anymore so including that one in react-scripts would solve this vulnerability issue.postcss-normalize-url
still uses the unfixed version ofnormalize-url
(4.5.0
). This can be fixed by using the latest version (6.6.0
) ofoptimize-css-assets-webpack-plugin
.The text was updated successfully, but these errors were encountered: