nth-check dependency v1.0.2 is vulnerable

[skubot]

Hi there, I got an alert from Snyk;
https://snyk.io/vuln/npm:css-select@2.1.0

css-select uses an old version of nth-check... needs to be upgraded to v2.0.1 or later. Thanks.

[fb55]

That site doesn't have an vulnerabilities listed:

No known vulnerabilities have been found for this package in Snyk's vulnerability database.

[fb55]

The range for nth-check allows for the current version. An npm audit --fix will resolve any issue you have.

[skubot]

Oh my god you're right sorry... the issue is that react-scripts@5.0.0 is using some older libraries downstream
ie: svgo@1.3.2 uses old css-select@2.1.0 which used to use nth-check@1.0.2

[chrisfinazzo]

For projects using Create React App, the fix is a breaking change and as configured it will install react-scripts@0.9.5 - which is super old.

Not exactly what I hoped to see.

[fb55]

@gaearon has written a great explanation of how to deal with and think about this: facebook/create-react-app#11174

[chrisfinazzo]

@gaearon has written a great explanation of how to deal with and think about this: facebook/create-react-app#11174

Good to know, thanks.

For the record, there is also a Prototype Pollution issue in async (another one of the transitive dependencies in CRA) which suggests the same fix. The PR for that is here.