[Snyk] Security upgrade react-scripts from 4.0.3 to 5.0.0#49
Conversation
…bilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15032660
There was a problem hiding this comment.
Pull request overview
This PR upgrades react-scripts from version 4.0.3 to 5.0.0 to fix a medium-severity Directory Traversal vulnerability (SNYK-JS-TAR-15032660) with a score of 693. This is a security-focused upgrade initiated by Snyk.
Changes:
- Upgrades react-scripts dependency from 4.0.3 to 5.0.0 in package.json
- Updates package-lock.json to reflect the dependency changes (not shown in diff)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "react-redux": "^7.2.3", | ||
| "react-router-dom": "^5.2.0", | ||
| "react-scripts": "4.0.3", | ||
| "react-scripts": "5.0.0", |
There was a problem hiding this comment.
react-scripts 5.0.0 has a peer dependency requirement for React ^18.0.0, but this project is using React 17.0.2. This version incompatibility will likely cause issues during installation and runtime. To properly upgrade react-scripts to 5.0.0, you should also upgrade react and react-dom to version 18. This requires additional code changes, particularly in src/index.js where ReactDOM.render() should be replaced with the new React 18 createRoot API.
| "react-scripts": "5.0.0", | |
| "react-scripts": "4.0.3", |
| "react-redux": "^7.2.3", | ||
| "react-router-dom": "^5.2.0", | ||
| "react-scripts": "4.0.3", | ||
| "react-scripts": "5.0.0", |
There was a problem hiding this comment.
The testing library packages may need to be updated for React 18 compatibility. @testing-library/react version 11.2.6 was designed for React 17. When upgrading to React 18 (required for react-scripts 5.0.0), you should also upgrade @testing-library/react to version 13.x or higher which supports React 18.
| "react-redux": "^7.2.3", | ||
| "react-router-dom": "^5.2.0", | ||
| "react-scripts": "4.0.3", | ||
| "react-scripts": "5.0.0", |
There was a problem hiding this comment.
react-scripts 5.0.0 requires Node.js version 14 or higher. The project specifies Node v16.13.0 in .nvmrc, which meets this requirement. However, note that react-scripts 5.0.0 drops support for Internet Explorer 11. Review the browserslist configuration to ensure it aligns with the browsers you need to support.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
client/package.jsonclient/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15032660
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal