create-react-app: Missing Origin Validation in react-scripts@2.1.2

Is this a bug report?

Yes, NPM reports 1 high severity vulnerability when running npx create-react-app my-app. Not sure why I can’t find a bug report already about this issue. Sorry if it has already been reported.

According to npm audit, the webpack-dev-server dependency has to be upgraded to >=3.1.11.

Environment

npx create-react-app --info
npx: installed 63 in 2.22s

Environment Info:

  System:
    OS: macOS High Sierra 10.13.6
    CPU: x64 Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz
  Binaries:
    Node: 10.11.0 - /usr/local/bin/node
    npm: 6.5.0 - ~/Sites/theregulars/theregulars-reviews/node_modules/.bin/npm
  Browsers:
    Chrome: 71.0.3578.98
    Firefox: 64.0
    Safari: 12.0.2
  npmPackages:
    react: ^16.6.3 => 16.6.3
    react-dom: ^16.6.3 => 16.6.3
    react-scripts: ^2.1.2 => 2.1.2
  npmGlobalPackages:
    create-react-app: Not Found

Steps to Reproduce

npx create-react-app my-app
cd my-app⸨⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⸩ ⠧ rollbackFailedOptional: verb npm-session 2bed87enpx: installed 63 in 4.162s

Creating a new React app in /Users/sunknudsen/tmp/my-app.

Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...


> fsevents@1.2.4 install /Users/sunknudsen/tmp/my-app/node_modules/fsevents
> node install

[fsevents] Success: "/Users/sunknudsen/tmp/my-app/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node" already installed
Pass --update-binary to reinstall or --build-from-source to recompile
+ react-scripts@2.1.2
+ react@16.7.0
+ react-dom@16.7.0
added 1794 packages from 684 contributors and audited 35709 packages in 47.487s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Initialized a git repository.

Success! Created my-app at /Users/sunknudsen/tmp/my-app
Inside that directory, you can run several commands:

  npm start
    Starts the development server.

  npm run build
    Bundles the app into static files for production.

  npm test
    Starts the test runner.

  npm run eject
    Removes this tool and copies build dependencies, configuration files
    and scripts into the app directory. If you do this, you can’t go back!

We suggest that you begin by typing:

  cd my-app
  npm start

Happy hacking!

npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 35709 scanned packages
  1 vulnerability requires manual review. See the full report for details.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 34
  • Comments: 29 (8 by maintainers)

Most upvoted comments

Just gave a nudge to @gaearon. Hoping to get a patch out soon. Sorry for the delay!

+66
ianschmitz on Jan 3, 2019

v2.1.3 is available. Please let me know if you have any more issues!

+25
ianschmitz on Jan 4, 2019

Running npm audit fix now fixes the vulnerability. Thanks @ianschmitz!

+12
sunknudsen on Jan 4, 2019

Can we have some feedback about the release date of this patch. We deactivated the audit step from our build so as to not block everyone.

I know that I can use resolution so as to force the version of the webpack-dev-server but I just do not want to do some workarround on something that it is going to be release soon.

So my main question is about When this patch is going to be released?

Thanks a lot

+11
dbenchi on Jan 4, 2019

I gave @ianschmitz publish rights and he’s working on putting out a release.

+8
gaearon on Jan 4, 2019

Any update on this? @ianschmitz @gaearon

+8
mjziolko on Jan 4, 2019

Waiting…

+7
sreeram315 on Jan 4, 2019

Updating webpack-dev-server doesn’t work because there’s a typo in the audit repository 🙈 https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

+7
cmwd on Jan 2, 2019

#6064 is in now. I’ll see if we can get a patch release out ASAP.

+7
ianschmitz on Jan 2, 2019

Same issue here. Can’t fix with “npm audit fix” or upgrading to @latest.

+4
blackforestcode on Jan 2, 2019

We should bump #6064 and get it in

+3
ianschmitz on Jan 1, 2019
screen shot 2019-01-04 at 6 08 26 pm
+2
gaearon on Jan 4, 2019

I haven’t been able to get a hold of @gaearon. @timer said he will have access to a computer again later today and will release the patch tonight.

+1
ianschmitz on Jan 4, 2019
Read more comments on GitHub
← create-react-app: Missing export should be a compile error
create-react-app: missingDeps.some not a function →