"How do I resolve multiple vulnerabilities in my React project (PostCSS, nth-check, etc.)? I'm new to this and could use some help!"

Posted by CaterpillarIcy8646@reddit | learnprogramming | View on Reddit | 7 comments

Hi everyone, I'm pretty new to working with React and managing dependencies, and I could really use some guidance on how to fix some vulnerabilities that have popped up in my project. When I run npm audit, I get the following vulnerabilities:

nth-check <2.0.1
High severity: Inefficient Regular Expression Complexity in nth-check.
It's used by u/svgr/webpack, which is part of react-scripts.
PostCSS <8.4.31
Moderate severity: PostCSS line return parsing error.
It's used by resolve-url-loader, which is also part of react-scripts.

What I've Tried So Far:

I ran npm audit fix, but the issues persist.
I also tried npm audit fix --force, but it suggests installing react-scripts@3.0.1, which seems like a breaking change.
I have tried looking for posts on stack overflow but im not making any progress.

Questions:

Is updating react-scripts to version 3.0.1 a safe solution, or will it cause more issues due to the breaking changes?
Should I try to manually update the vulnerable packages like nth-check and postcss? If so, how do I go about it without breaking other dependencies?
Am I missing something crucial when using npm audit fix --force? I have tried this and do understand that I shouldnt use this tool haphazardly.
Any advice on how to handle these vulnerabilities without causing other issues in my project would be greatly appreciated!

I have tried to look for dependancy mismatches using npx expo doctor, npx expo install --check and asking chat gpt.

Thanks in advance for your help!

[-]

dreadington@reddit

I was dealing with this literally yesterday, and it's not looking good.

The latest react-scripts version is 5.0.1, which I think it currently you should be on as well. Running npm audit fix downgrades the package to 3.0.1, which resolves the vulnerabilities you have initially, but adds many more, cause it downgrades to a much earlier version.

It seems that react-scripts hasn't been supported for the last 2-3 years, and my quick research shows that people recommend vite as an alternative. You're gonna have to read some documentation about how to migrate your project from react-scripts to vite.

Unfortunately I can't help you more, since I haven't made the switch yet either.

[-]

CaterpillarIcy8646@reddit (OP)

Hey man so I went to another r/page and a user mentioned that we shouldnt rely on npm audit:
https://overreacted.io/npm-audit-broken-by-design/

Also in my research I found:

React-Scripts (5.0.1):

This is a dependency used for projects bootstrapped with Create React App (CRA). It doesn't integrate well with Expo projects as they use entirely different build systems (Webpack for CRA vs Metro for Expo).
Expo typically does not require react-scripts, and such overlaps can cause conflicts.

I removed react-scripts and the error goes away and project runs fine. Hope that helps:)

PS: I just realized that I didnt specify that it was for an expo project using react native, apologies.

[-]

dreadington@reddit

Thank you for the infos!

[-]

CaterpillarIcy8646@reddit (OP)

Would explain why I cant find anything on it, ty for your time

[-]

math_rand_dude@reddit

It's always a pain, especially with older versions that don't mix well with newer versions.

If it is not possible to update/upgrade all packages to their latest version, there's one (ugly) way of fixing specific vulnerabilities.

https://www.npmjs.com/package/npm-force-resolutions

[-]

CaterpillarIcy8646@reddit (OP)

managed ty sir

[-]

CaterpillarIcy8646@reddit (OP)

Will have a look ty