github Dependabot alert: Inefficient Regular Expression Complexity in nth-check

Question

Possible duplicate, but couldn't find any clear answers.

Dependabot cannot update nth-check to a non-vulnerable version The latest possible version that can be installed is 1.0.2 because of the following >conflicting dependency:

react-scripts@5.0.0 requires nth-check@^1.0.2 via a transitive dependency on css-select@2.1.0

just upgraded to react-scripts@5.0.0 from 4.0.0.

Answer 1

Thanks to this GitHub thread, I was able to solve this. This basically helps Snyk to remove scanning issue on the nth-check.

"dependencies": {
    "react-scripts": "^5.0.1",
    "web-vitals": "^2.1.4",
    "nth-check": "^2.1.1"
  },
  "overrides": {
    "nth-check": "^2.1.1",
    "postcss":"^8.4.38"
  }

See more : GitHub Answer

Answer 2

I had the same error and I fixed it with doing

1. added below in packge.json

"overrides": { "nth-check": "^2.1.1" }

2. I run npm i , then npm audit fix

Answer 3

https://github.com/facebook/create-react-app/issues/4342

check this link, clearly you can see that react-scripts is not devDependency. react-scripts package includes polyfills that are used in production. so the answer that you have marked as right is not right.

Answer 4

To identify nth-check outdated dependencies, please run the command:

npm list nth-check

then, you will see in your terminal something like:

`--  nth-check@2.1.1

`--  nth-check@1.0.2

here you can see that some dependecies are updated and others outdated. Next, in your editor you could search in all your files for "nth-check" and you will see wich files have version "nth-check@1.0.2" for example.

then you replace manually these dependecies with last version that you see, for example:

nth-check@2.1.1 instead nth-check@1.02

then in your terminal tray again :

npm i

and this vulnerabilty should dissapear

Answer 5

In the package-lock.json, make the updates for all of the nth-check fields based on the version in GitHub Dependabot alert:

For example, for >=2.0.1, update fileds (version, resolved and nth-check) as shown below:

"node_modules/svgo/node_modules/nth-check": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/nth-check/-/nth-check-2.0.1.tgz", // just update version part (2.0.1)
      ...
}

"node_modules/svgo/node_modules/css-what": {
@@ -23901,7 +23901,7 @@
        ...
        "nth-check": ">=2.0.1"

After this, run npm audit --production to verify.

Answer 6

I had to change a particular dependency and its child dependency version to 2.0.1 , in my case dependency which had the problem was "css-select@npm:^2.0.0" ,

Just have search for nth-check in yarn.lock file and you will find the nth-check dependency as child dependency inside "css-select@npm:^2.0.0" there you need to change the version form "1.0.2" to "2.0.1" it would looks something like bellow

css-select@npm:^2.0.0":
  version: 2.1.0
  resolution: "css-select@npm:2.1.0"
  dependencies:
    boolbase: ^1.0.0
    css-what: ^3.2.1
    domutils: ^1.7.0
    nth-check: ^2.0.1 // this is where you need to make change
  checksum: 0c4099910f2411e2a9103cf92ea6a4ad738b57da75bcf73d39ef2c14a00ef36..
  languageName: node
  linkType: hard

Any dependency still using this old version of nth check as child dependency have to updated and that will fix the issue

Answer 7

in your CMD and check " npm -g list "

and "npm install -g create-react-app"

after that "npx create-react-app ./"

Answer 8

If any of the above mentioned methods didn't work, then try this :

First check if the vulnerability is used in your code using the

npm-check

Now if the vulnerability module is not used in the code, then head-over to the 'package-lock.json' and search for the vulnerability path like

node_modules/svgo/node_modules/nth-check

and remove this dependency in the json file

Then run

npm audit

This will display

found 0 vulnerabilities

This mostly occurs when used

npx create-react-app "app"

and tried to install a module " React-Scripts"

Answer 9

Open package.json. You will find this:

"dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
    "react-scripts": "4.0.3"
  }

Take react-scripts and move it to devDependencies (if you don't have it, create it):

  "dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2"
  },
  "devDependencies": {
    "react-scripts": "4.0.3"
  },

Then, ensure you run "npm audit --production"

This will fix your warnings.

Answer 10

A few points before telling you the workaround:

1. It seems that the react-scripts vulnerability is a false alarm (as discussed here). Dan Abramov also wrote a fascinating in-depth blog post about how npm audit works and how it's somehow broken especially for front-end tooling by design.

2. Since react-scripts is essentially a build tool, even if the vulnerability was indeed genuine, it would be considered only a development issue since it'll be stripped from the production bundle anyway.

So if you do nothing about this so-called "vulnerability", nothing bad gonna happen and it's perfectly fine. But if the red alarm that a vulnerability exists is annoying you either aesthetically or is disrupting your CI/CD then read on.

Workaround:

The problem seems to be starting with the lib @svgr/webpack 4.0.0 - 5.0.0.

If you are using node version >= 16, you can install @svgr/webpack by yourself, in my case I installed the version: ^6.2.1 as devDependency.

After that, you should create a overrides (or resolutions if you are using yarn) section in your package.json and include the line: "@svgr/webpack": "$@svgr/webpack".

And last, you must remove your node_modules folder and your package-lock.json, and execute npm install.

Workaround credit.

Answer 11

I confirm it still works as of react-scripts 5.0.1 that you can move your version of react scripts from "dependencies" to "devDependencies" in package.json like this:

 "devDependencies": {
    "react-scripts": "^5.0.1"
  },

"devDependencies are packages that are consumed by requiring them in files or run as binaries, during the development phase. These are packages that are only necessary during development and not necessary for the production build."

Run "npm audit --production" to show that you do not need react-scripts at production.

Of course, if you still run into vulnerabilities, another package might have caused the vulnerability.

https://dev.to/moimikey/demystifying-devdependencies-and-dependencies-5ege

Answer 12

I also am on react-scripts@^5.0.0

So, I would personally recommend to use yarn first. But everybody has their own preferences! to do so, can type

npm install --global yarn

after that you could remove your package-lock file and run following command in the folder of your app of course

yarn

(such a surprise.) This will generate a yarn.lock file. Note that you should avoid using yarn and npm at the same time !

In that very same yarn.lock file, you will have to search for nth-check string! In a brand new react app (so far), you should find 8 occurrences of that string. This string will be set next to a package version. That's what you want to change.

In my case, I have for example

nth-check@^1.0.2: //so far. This version can be different for an older projet.
  version "1.0.2"
  resolved "https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz"

You want top change all those wrong versions. It should look like this :

nth-check@^2.0.1:
  version "2.0.1"
  resolved "https://registry.npmjs.org/nth-check/-/nth-check-2.0.1.tgz"

You will have to change a couple versions though. Not just one. I dit it (-6 times I believe. If you save the file, launche a simple

yarn

command followed by a

yarn audit

It SHOULD fix one of your problems!

Hope this was helpfull. Cheers!

Answer 13

As Dan Abramov explains in this issue, it is (very likely) a false alarm and can be safely dismissed.

More specifically, if you are using CRA and nth-check is referenced only from it, it is not an issue, because CRA is a build tool and the vulnerable code will never get into the resulting application bundle and thus will never be called by client code.

You can verify this by moving "react-scripts" into "devDependencies" in package.json and running npm audit --production.