Missing Origin Validation in react-scripts@2.1.2
Created by: sunknudsen
Is this a bug report?
Yes, NPM reports 1 high severity vulnerability when running npx create-react-app my-app. Not sure why I can't find a bug report already about this issue. Sorry if it has already been reported.
According to npm audit, the webpack-dev-server dependency has to be upgraded to >=3.1.11.
Environment
npx create-react-app --info
npx: installed 63 in 2.22s
Environment Info:
System:
OS: macOS High Sierra 10.13.6
CPU: x64 Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz
Binaries:
Node: 10.11.0 - /usr/local/bin/node
npm: 6.5.0 - ~/Sites/theregulars/theregulars-reviews/node_modules/.bin/npm
Browsers:
Chrome: 71.0.3578.98
Firefox: 64.0
Safari: 12.0.2
npmPackages:
react: ^16.6.3 => 16.6.3
react-dom: ^16.6.3 => 16.6.3
react-scripts: ^2.1.2 => 2.1.2
npmGlobalPackages:
create-react-app: Not FoundSteps to Reproduce
npx create-react-app my-app
cd my-app⸨⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⠂⸩ ⠧ rollbackFailedOptional: verb npm-session 2bed87enpx: installed 63 in 4.162s
Creating a new React app in /Users/sunknudsen/tmp/my-app.
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...
> fsevents@1.2.4 install /Users/sunknudsen/tmp/my-app/node_modules/fsevents
> node install
[fsevents] Success: "/Users/sunknudsen/tmp/my-app/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node" already installed
Pass --update-binary to reinstall or --build-from-source to recompile
+ react-scripts@2.1.2
+ react@16.7.0
+ react-dom@16.7.0
added 1794 packages from 684 contributors and audited 35709 packages in 47.487s
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Initialized a git repository.
Success! Created my-app at /Users/sunknudsen/tmp/my-app
Inside that directory, you can run several commands:
npm start
Starts the development server.
npm run build
Bundles the app into static files for production.
npm test
Starts the test runner.
npm run eject
Removes this tool and copies build dependencies, configuration files
and scripts into the app directory. If you do this, you can’t go back!
We suggest that you begin by typing:
cd my-app
npm start
Happy hacking!npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Missing Origin Validation │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ webpack-dev-server │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.1.11 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts > webpack-dev-server │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/725 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 35709 scanned packages
1 vulnerability requires manual review. See the full report for details.