npm audit vulnerability : react-scripts > webpack-dev-server > yargs > yargs-parser

[sonikamah]

while running npm audit , I am getting the below error for 'react-scripts' (1 low vulnerability ),
could you please help me ?

• Below I have added my package.json.

• Error is for : "react-scripts > webpack-dev-server > yargs > yargs-parser"

npm audit

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of react-scripts

Path react-scripts > webpack-dev-server > yargs > yargs-parser

More info https://npmjs.com/advisories/1500

---

package.json -> dependencies

"dependencies": {
"react": "^16.12.0",
"react-dom": "^16.12.0",
"react-router-dom": "^5.1.2",
"react-scripts": "3.4.0",
"reactstrap": "^8.4.1"
},

[dillu24]

Any updates on how much time this will take?

[sonikamah]

Any updates on how much time this will take?

not yet ... any other alternative solution do you have, as build is getting failed ?

[mohrash92]

I have usually fixed this issue by deleting the package-lock.json or yarn.lock and then running npm install or yarn (depending on which one you use).

[sonikamah]

I have usually fixed this issue by deleting the package-lock.json or yarn.lock and then running npm install or yarn (depending on which one you use).

Thanks for your input. have tried deleting package.json but no luck.

[scailbc]

It should be enough to update webpack-dev-server to the latest version 3.11.0 in react-scripts.
This is already done in master branch, so we just need a new release of react-scripts

[dillu24]

It should be enough to update webpack-dev-server to the latest version 3.11.0 in react-scripts.
This is already done in master branch, so we just need a new release of react-scripts

Hope it is soon.

[sonikamah]

It should be enough to update webpack-dev-server to the latest version 3.11.0 in react-scripts.
This is already done in master branch, so we just need a new release of react-scripts

Hope it is soon.

any luck ?

[damien-git]

See also: #8529, #8970, #8975.

[tatebosler]

This appears to be happening even when "react-scripts": "^3.4.0" or "react-scripts: "3.4.1" is used. On version 3.4.1, npm ls gives the following output:

└─┬ react-scripts@3.4.1
 [ snipped for brevity ]
  ├─┬ webpack-dev-server@3.10.3

Looks like the package.json file on npm needs an update or something, as it's already been addressed here: https://github.com/facebook/create-react-app/blob/master/packages/react-scripts/package.json#L82

[dillu24]

Anyone managed to solved this?