New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
react-scripts is using postcss@^7.0.35 which has security vulnerability #13423
Comments
A link to the CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-44270 |
Actually, in our project, we don't import the resolve-url-loader package directly. Only react-scripts module has some dependencies with resolve-url-loader and here I get vulnerabilities. |
I had to use overrides in my package.json to overcome there errors:
However the dependency should be updated in the main branch |
@Dror-Bar thank you, you are going to be in my video on using Trivy to fix vulnerabilities with this suggestion -- Thank you!!! |
react-scripts@5.0.1 requires postcss@^7.0.35 via a transitive dependency on resolve-url-loader@4.0.0
I see the latest version of resolve-url-loader is 5.x, and it depends on postcss@8.x. So can we update resolve-url-loader to a non-vulnerable version? Thank you!
The text was updated successfully, but these errors were encountered: