'github Dependabot alert: Inefficient Regular Expression Complexity in nth-check
Possible duplicate, but couldn't find any clear answers.
Dependabot cannot update nth-check to a non-vulnerable version The latest possible version that can be installed is 1.0.2 because of the following >conflicting dependency:
[email protected] requires nth-check@^1.0.2 via a transitive dependency on [email protected]
just upgraded to [email protected] from 4.0.0.
githubSolution 1:[1]
As Dan Abramov explains in this issue, it is (very likely) a false alarm and can be safely dismissed.
More specifically, if you are using CRA and nth-check is referenced only from it, it is not an issue, because CRA is a build tool and the vulnerable code will never get into the resulting application bundle and thus will never be called by client code.
You can verify this by moving "react-scripts" into "devDependencies" in package.json and running npm audit --production.
Solution 2:[2]
I confirm it still works as of react-scripts 5.0.1 that you can move your version of react scripts from "dependencies" to "devDependencies" in package.json like this:
"devDependencies": {
"react-scripts": "^5.0.1"
},
"devDependencies are packages that are consumed by requiring them in files or run as binaries, during the development phase. These are packages that are only necessary during development and not necessary for the production build."
Run "npm audit --production" to show that you do not need react-scripts at production.
Of course, if you still run into vulnerabilities, another package might have caused the vulnerability.
https://dev.to/moimikey/demystifying-devdependencies-and-dependencies-5ege
Solution 3:[3]
I also am on react-scripts@^5.0.0
So, I would personally recommend to use yarn first. But everybody has their own preferences! to do so, can type
npm install --global yarn
after that you could remove your package-lock file and run following command in the folder of your app of course
yarn
(such a surprise.) This will generate a yarn.lock file. Note that you should avoid using yarn and npm at the same time !
In that very same yarn.lock file, you will have to search for nth-check string! In a brand new react app (so far), you should find 8 occurrences of that string. This string will be set next to a package version. That's what you want to change.
In my case, I have for example
nth-check@^1.0.2: //so far. This version can be different for an older projet.
version "1.0.2"
resolved "https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz"
You want top change all those wrong versions. It should look like this :
nth-check@^2.0.1:
version "2.0.1"
resolved "https://registry.npmjs.org/nth-check/-/nth-check-2.0.1.tgz"
You will have to change a couple versions though. Not just one. I dit it (-6 times I believe. If you save the file, launche a simple
yarn
command followed by a
yarn audit
It SHOULD fix one of your problems!
Hope this was helpfull. Cheers!
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | richard |
| Solution 3 | LoveriusB |