React update outdated dependencies flagged by checkmarx

Question

In my project, I have some outdated dependencies that have been flagged by Checkmarx.

However, the dependencies flagged are in react-scripts version 4.0.3. For example, there are packages flagged within react-scripts, i.e ejs, immer, url-parse, debug and some more.

What would be the best way to upgrade these packages, individually or update to the latest react-scripts version, would that solve it?

Answer 1

I'm Ravid, a security researcher in Checkmarx. Please allow me to address your question.

The best way to work around this issue is to update the "root" (react-scripts in this case) to the latest version.

Once you will update this package to its latest version (5.0.1), the transitive dependencies (AKA the children) will get updated accordingly. For example, react-scripts uses react-dev-utils which uses immer, once updating react-scripts to the latest, you will notice it uses the latest version of immer.

Please note that a project might use a few different versions of the same package. For example, react-scripts (latest) uses debug in versions 4.3.4 (latest) as well as 2.69 and 3.27.

It is important to remember then even after updating the "root" package there might still be outdated "children" packages, since some packages are still using vulnerable/outdated package versions.

An example of that would be:

As you can see, react-scripts (latest) uses webpack-dev-server (latest) which uses portfinder (latest) which uses debug 3.2.7 (NOT latest) The "problem" relies on portfinder, which does not uses the latest version of debug.

Regarding breaking code after updating the dependencies, Checkmarx have an engine that will alert the method, line, and file that was broken At the moment, this feature is internal only but should be production-ready soon enough