How to fix npm package braces issue with react-scripts v2.1.5 when npm audit does nothing?

CrumrineCoder picture CrumrineCoder · Feb 17, 2019 · Viewed 9.5k times · Source

My NPM package in my react client folder is giving me 63 low vulnerabilities all dealing with the braces package mainly in the jest folder of the react-scripts package of version 2.1.5. NPM Audit fix doesn't work, what do I do?

I've tried downgrading to previous versions of react-scripts, updating braces either through updating the package.json, deleting the package lock, and running npm install again, or running npm update braces, but nothing has worked after 2 hours of fiddling. I've also tried to revert to a previous version of my Github package.json when it was working. I believe it stopped working after I tried to download firebase-ui, but I think it has to do with updating the packages since I've deleted the node modules and npm installing several times.

Here's what my clean package.json that's messing up.

"webpack-dev-server": "3.1.14",
"@babel/core": "*",
"axios": "*",
"body-parser": "*",
"bootstrap": "*",
"cors": "*",
"dotenv": "*",
"draft-js": "*",
"draft-js-export-html": "*",
"errorhandler": "*",
"express": "*",
"express-session": "*",
"history": "*",
"jquery": "*",
"moment": "*",
"mongoose": "*",
"morgan": "*",
"node-sass-chokidar": "*",
"npm-run-all": "*",
"path": "*",
"query-string": "*",
"react": "*",
"react-dom": "*",
"react-loadable": "*",
"react-redux": "*",
"react-router-dom": "*",
"react-router-redux": "*",
"react-scripts": "*",
"react-validation": "*",
"reactstrap": "*",
"recharts": "*",
"redux": "*",
"redux-logger": "*",
"redux-observable": "*",
"redux-thunk": "*",
"rxjs": "*",
"rxjs-compat": "*",
"validator": "*"

And here's the issue I'm getting:

Low Regular Expression Denial of Service

Package braces

Dependency of react-scripts

Path react-scripts > jest > jest-cli > micromatch > braces

More info https://nodesecurity.io/advisories/786

Answer

jeffdstephens picture jeffdstephens · Feb 17, 2019

I ran npm install [email protected] and then npm update

That still resulted in the 63 vulnerabilities but it did bring my braces to the current version. So I went through and updated ALL references of braces in the package-lock.json to 2.3.2. I then ran npm update again and when I ran npm audit the vulnerabilities were gone.