how to fix Regular Expression Denial Of Services in react script

Question

I got 86 vulnerabilities and 4 of them are high. And then I run npm audit to know what's wrong with my react project

  High            Regular Expression Denial of Service

  Package         normalize-url

  Patched in      >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1

  Dependency of   react-scripts

  Path            react-scripts > optimize-css-assets-webpack-plugin > cssnano
                  > cssnano-preset-default > postcss-normalize-url >
                  normalize-url

  More info       https://npmjs.com/advisories/1755

And then I visit the url and I know I should upgrade to versions 4.5.1, 5.3.1, 6.0.1 or later. I did it using npm install normalize-url@6.0.1 but I still got the same vulnerabilities. I try to check which version of normalize-url was installed by running npm ls normalize-url and I got:

+-- normalize-url@6.0.1
`-- react-scripts@4.0.3
  +-- mini-css-extract-plugin@0.11.3
  | `-- normalize-url@1.9.1
  `-- optimize-css-assets-webpack-plugin@5.0.4
    `-- cssnano@4.1.11
      `-- cssnano-preset-default@4.0.8
        `-- postcss-normalize-url@4.0.1
          `-- normalize-url@3.3.0

I've tried to do this too https://www.npmjs.com/package/npm-force-resolutions and I still got the vulnerabilities. Does anyone know how to fix this? Thanks

Answer 1

I just got the same issue, since react is maintained by facebook so i don't want to trust it, i deleted it, also i can't imagine making a project with 86 vulnerabilities 4 of them are ReDoS High.

i suggest you try to delete normalize-url module from node-modules folder and package.lock.json then install the latest package 6.0.1

npm i normalize-url

let me know if it can fix it.

Answer 2

I'm pretty sure what the outputnpm ls command is telling you is you have normalize-url@6.0.1 installed, but react-scripts is still relying on version 1.9.1. But not even react-scripts: react-scripts relies on mini-css-extract-plugin which relies on normalize-url@1.9.1. And then there is a chain from optimize-css-assets-webpack-plugin that relies on normalize-url@3.3.0. So you'll need to wait for the react team to fix their dependencies. And it looks like they recently have https://github.com/apache/airflow/pull/16375(EDIT: scratch this comment, I realize now this has nothing to do with the react-scripts package. I thought maybe it did in some way. But I'll leave this statement in here as a mark of my shame :P ).

The react team knows about this vulnerability (https://github.com/facebook/create-react-app/issues/11054) but I'm not certain when the fix is deployed and or how those updates get dispersed.