I downloaded node-sass and after doing so I received this message "found 9 vulnerabilities (4 moderate, 5 high) in 1869 scanned packages
9 vulnerabilities require manual review. See the full report for details." The thing is that I tried to install every new version manually with npm install <packagename>@version --save-dev as a lot of people have suggested but I still get the same warning message, with 4 moderate and 5 high vulnerabilities, so it's not working.
I have also tried npm update, npm audit fix and npm audit fix --force but no luck.
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=7.0.36 <8.0.0 || >=8.2.10
Dependency of react-scripts
Path react-scripts > resolve-url-loader > postcss
More info https://npmjs.com/advisories/1693
Moderate Regular Expression Denial of Service
Package browserslist
Patched in >=4.16.5
Dependency of react-scripts
Path react-scripts > react-dev-utils > browserslist
More info https://npmjs.com/advisories/1747
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of react-scripts
Path react-scripts > webpack > watchpack > watchpack-chokidar2 >
chokidar > glob-parent
More info https://npmjs.com/advisories/1751
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of react-scripts
Path react-scripts > webpack-dev-server > chokidar > glob-parent
More info https://npmjs.com/advisories/1751
High Regular Expression Denial of Service
Package trim-newlines
Patched in >=3.0.1 <4.0.0 || >=4.0.1
Dependency of node-sass
Path node-sass > meow > trim-newlines
More info https://npmjs.com/advisories/1753
High Denial of Service
Package css-what
Patched in >=5.0.1
Dependency of react-scripts
Path react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo >
css-select > css-what
More info https://npmjs.com/advisories/1754
High Denial of Service
Package css-what
Patched in >=5.0.1
Dependency of react-scripts
Path react-scripts > optimize-css-assets-webpack-plugin > cssnano
> cssnano-preset-default > postcss-svgo > svgo > css-select
> css-what
More info https://npmjs.com/advisories/1754
High Regular Expression Denial of Service
Package normalize-url
Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1
Dependency of react-scripts
Path react-scripts > mini-css-extract-plugin > normalize-url
More info https://npmjs.com/advisories/1755
High Regular Expression Denial of Service
Package normalize-url
Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1
Dependency of react-scripts
Path react-scripts > optimize-css-assets-webpack-plugin > cssnano
> cssnano-preset-default > postcss-normalize-url >
normalize-url
More info https://npmjs.com/advisories/1755
Package json
{
"name": "wineharvest",
"version": "0.1.0",
"private": true,
"dependencies": {
"@testing-library/jest-dom": "^5.11.4",
"@testing-library/react": "^11.1.0",
"@testing-library/user-event": "^12.1.10",
"node-sass": "^4.14.1",
"normalize-url": "^4.5.1",
"react": "^17.0.2",
"react-dom": "^17.0.2",
"react-scripts": "4.0.3",
"web-vitals": "^1.0.1"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"eslintConfig": {
"extends": [
"react-app",
"react-app/jest"
]
},
"browserslist": {
"production": [
">0.2%",
"not dead",
"not op_mini all"
],
"development": [
"last 1 chrome version",
"last 1 firefox version",
"last 1 safari version"
]
},
"devDependencies": {
"glob-parent": "^5.1.2",
"postcss": "^7.0.36"
}
}
Any idea of what should I do?
UPDATE: After researching for a few hours, I've found a solution. If nothing works, install the package that gives you problems, for example, npm install postcss --save-dev.Then, add this to your package.json file:
{
"resolutions": {
"postcss": "^7.0.36"
}
}
if you're using npm, then you should add this to your scripts too:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
After you've installed the packages and added them to your package.jsonas previously mentioned, then you can run npm install. You should be able to see 0 vulnerabilities.
For more information, refer to the source where all of this is explained: source for this issue