Search code examples
npmjestjsbracesreact-scripts

How to fix npm package braces issue with react-scripts v2.1.5 when npm audit does nothing?

My NPM package in my react client folder is giving me 63 low vulnerabilities all dealing with the braces package mainly in the jest folder of the react-scripts package of version 2.1.5. NPM Audit fix doesn't work, what do I do?

I've tried downgrading to previous versions of react-scripts, updating braces either through updating the package.json, deleting the package lock, and running npm install again, or running npm update braces, but nothing has worked after 2 hours of fiddling. I've also tried to revert to a previous version of my Github package.json when it was working. I believe it stopped working after I tried to download firebase-ui, but I think it has to do with updating the packages since I've deleted the node modules and npm installing several times.

Here's what my clean package.json that's messing up.

"webpack-dev-server": "3.1.14",
"@babel/core": "*",
"axios": "*",
"body-parser": "*",
"bootstrap": "*",
"cors": "*",
"dotenv": "*",
"draft-js": "*",
"draft-js-export-html": "*",
"errorhandler": "*",
"express": "*",
"express-session": "*",
"history": "*",
"jquery": "*",
"moment": "*",
"mongoose": "*",
"morgan": "*",
"node-sass-chokidar": "*",
"npm-run-all": "*",
"path": "*",
"query-string": "*",
"react": "*",
"react-dom": "*",
"react-loadable": "*",
"react-redux": "*",
"react-router-dom": "*",
"react-router-redux": "*",
"react-scripts": "*",
"react-validation": "*",
"reactstrap": "*",
"recharts": "*",
"redux": "*",
"redux-logger": "*",
"redux-observable": "*",
"redux-thunk": "*",
"rxjs": "*",
"rxjs-compat": "*",
"validator": "*"

And here's the issue I'm getting:

Low Regular Expression Denial of Service

Package braces

Dependency of react-scripts

Path react-scripts > jest > jest-cli > micromatch > braces

More info https://nodesecurity.io/advisories/786

Solution

  • I ran npm install braces@2.3.1 and then npm update

    That still resulted in the 63 vulnerabilities but it did bring my braces to the current version. So I went through and updated ALL references of braces in the package-lock.json to 2.3.2. I then ran npm update again and when I ran npm audit the vulnerabilities were gone.