Question 74398 in Reactjs Question posted in
The new location for the React Documentation can be found here.

Expo json5 issue: Why is npm audit fix –force not resolving the vulnerability? – Reactjs

npm audit

npm audit report

json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method – https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/babel-preset-expo/node_modules/json5
find-babel-config <=1.2.0
Depends on vulnerable versions of json5
node_modules/babel-preset-expo/node_modules/find-babel-config
babel-plugin-module-resolver 2.3.0 – 4.1.0
Depends on vulnerable versions of find-babel-config
node_modules/babel-preset-expo/node_modules/babel-plugin-module-resolver
babel-preset-expo *
Depends on vulnerable versions of babel-plugin-module-resolver
node_modules/babel-preset-expo
expo >=14.0.0
Depends on vulnerable versions of babel-preset-expo
node_modules/expo

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix –force

├─┬ @babel/[email protected]
│ └── [email protected] deduped
├─┬ @expo/[email protected] extraneous
│ └── [email protected] extraneous
├─┬ [email protected] invalid: "5.0.0" from the root project
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected] extraneous
│ └─┬ @expo/[email protected]
│ └─┬ @expo/[email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├─┬ @expo/[email protected]
│ │ ├─┬ @expo/[email protected]
│ │ │ └── [email protected]
│ │ ├─┬ @expo/[email protected]
│ │ │ └─┬ @expo/[email protected]
│ │ │ └── [email protected]
│ │ └─┬ @expo/[email protected]
│ │ └─┬ @expo/[email protected]
│ │ └── [email protected]
│ ├─┬ @expo/[email protected]
│ │ └─┬ @expo/[email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│ └─┬ @expo/[email protected]
│ └─┬ @expo/[email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected] deduped
├── [email protected]
└─┬ [email protected] extraneous
└── [email protected] deduped

"npm audit fix –force" or npm install –save json5@latest command is not working as expected.

Tags:

2

Answers


  1. 0

    resolved issues by updating the dependencies in the package-lock.json file, not user if this is the best scenario. I followed the steps on this website: https://itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d

    The issues looks like a false positive.

    Check the version of the packages installed. You can either remove the dep

    Login or Signup to reply.
  2. 0
    1. Go to package-lock.json and find:
    "node_modules/find-babel-config": {
    "version": "1.2.0",
    "resolved": "...",
    "integrity": "...",
    "dependencies": {
        "json5": "^0.5.1", // Here is the problem
        "path-exists": "^3.0.0"
    },
    "engines": {
        "node": ">=4.0.0"
    }
},
    1. Change to "json5": "^2.2.3" and run npm install

    This solve the problem but still the npm audit will show high severity report

    To fix that find and change this:

    "node_modules/find-babel-config/node_modules/json5": {
    "version": "0.5.1",
    "resolved": "https://registry.npmjs.org/json5/-/json5-0.5.1.tgz",
}

    To:

    "node_modules/find-babel-config/node_modules/json5": {
    "version": "^2.2.3",
    "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
}

    Then run npm i

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search