Bump tar and react-scripts#11
Conversation
Removes [tar](https://github.com/isaacs/node-tar). It's no longer used after updating ancestor dependency [react-scripts](https://github.com/facebook/create-react-app/tree/HEAD/packages/react-scripts). These dependencies need to be updated together. Removes `tar` Updates `react-scripts` from 1.0.13 to 1.1.5 - [Release notes](https://github.com/facebook/create-react-app/releases) - [Changelog](https://github.com/react/create-react-app/blob/main/CHANGELOG-1.x.md) - [Commits](https://github.com/facebook/create-react-app/commits/v1.1.5/packages/react-scripts) --- updated-dependencies: - dependency-name: tar dependency-version: dependency-type: indirect - dependency-name: react-scripts dependency-version: 1.1.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
| webpack-dev-server@2.7.1: | ||
| version "2.7.1" | ||
| resolved "https://registry.yarnpkg.com/webpack-dev-server/-/webpack-dev-server-2.7.1.tgz#21580f5a08cd065c71144cf6f61c345bca59a8b8" | ||
| webpack-dev-server@2.11.3: |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 8060 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of webpack-dev-server are vulnerable to Exposed Dangerous Method or Function. webpack-dev-server serves bundled assets without rejecting cross-origin classic script requests. Because such <script src> requests bypass the same-origin policy, a malicious website visited by a developer running the dev server can load the application bundle cross-origin and, via prototype pollution of the webpack runtime, extract the application source code.
To resolve this comment:
Check if you are using webpack dev server CLI setup.
- If you're affected, upgrade this dependency to at least version 5.2.1 at yarn.lock.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| webpack-dev-server@2.7.1: | ||
| version "2.7.1" | ||
| resolved "https://registry.yarnpkg.com/webpack-dev-server/-/webpack-dev-server-2.7.1.tgz#21580f5a08cd065c71144cf6f61c345bca59a8b8" | ||
| webpack-dev-server@2.11.3: |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 8060 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of webpack-dev-server are vulnerable to Origin Validation Error. webpack-dev-server improperly validates the WebSocket connection Origin header, unconditionally accepting any IP-address-based Origin. A malicious website can perform a cross-site WebSocket hijack against a running dev server and exfiltrate the developer source code carried in Hot Module Reloading (HMR) messages. The insecure origin check is the package default and is reached on every WebSocket connection, so any project running an affected version is vulnerable.
To resolve this comment:
Check if you are using webpack dev server CLI setup and access untrusted web site with non-Chromium based browser.
- If you're affected, upgrade this dependency to at least version 5.2.1 at yarn.lock.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| @@ -2723,13 +3248,20 @@ fs.realpath@^1.0.0: | |||
| version "1.0.0" | |||
| resolved "https://registry.yarnpkg.com/fs.realpath/-/fs.realpath-1.0.0.tgz#1504ad2523158caa40db4a2787cb01411994ea4f" | |||
|
|
|||
| fsevents@1.1.2, fsevents@^1.0.0: | |||
| fsevents@^1.0.0: | |||
There was a problem hiding this comment.
👿 Malicious dependency detected—remove immediately
The version 1.1.2 of fsevents contains malicious code and is a critical security risk. Upgrade
to 1.2.11 to resolve this issue.
ℹ️ Why this matters
This specific version of fsevents contains malicious code. Upgrade to the safe version immediately.
References: https://osv.dev/vulnerability/MAL-2023-462
To resolve this comment:
Upgrade this dependency to at least version 1.2.11 at yarn.lock.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| webpack-dev-server@2.7.1: | ||
| version "2.7.1" | ||
| resolved "https://registry.yarnpkg.com/webpack-dev-server/-/webpack-dev-server-2.7.1.tgz#21580f5a08cd065c71144cf6f61c345bca59a8b8" | ||
| webpack-dev-server@2.11.3: |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 8060 lists a dependency (webpack-dev-server) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of webpack-dev-server are vulnerable to Improper Input Validation. Missing origin validation on webpack-dev-server's Hot Module Replacement websocket allows any webpage to connect to the dev server's socket, access in‐memory compiled assets and source code, and exfiltrate a developer's source files.
To resolve this comment:
Check if you are using webpack-dev-server with Hot Module Replacement enabled (i.e. using the --hot argument).
- If you're affected, upgrade this dependency to at least version 3.1.11 at yarn.lock.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| @@ -995,7 +1076,7 @@ babel-template@^6.16.0, babel-template@^6.24.1, babel-template@^6.25.0, babel-te | |||
| babylon "^6.18.0" | |||
| lodash "^4.17.4" | |||
|
|
|||
| babel-traverse@^6.18.0, babel-traverse@^6.23.1, babel-traverse@^6.24.1, babel-traverse@^6.25.0, babel-traverse@^6.26.0: | |||
| babel-traverse@^6.18.0, babel-traverse@^6.23.1, babel-traverse@^6.24.1, babel-traverse@^6.26.0: | |||
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 1079 lists a dependency (babel-traverse) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.
To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
|
Semgrep found 1 Risk: Affected versions of bootstrap and bootstrap-sass are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's affix plugin passes its Manual Review Advice: A vulnerability from this advisory is reachable if you are calling Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:1882. Reference(s): GHSA-ph58-4vrj-w6hr, CVE-2018-20677 Semgrep found 2 Risk: Affected versions of js-yaml are vulnerable to Uncontrolled Resource Consumption. js-yaml is vulnerable to denial of service when parsing untrusted YAML: a document that uses nested arrays as mapping keys combined with anchors and aliases triggers exponential string expansion during parsing, stalling the Node.js process and exhausting memory. Any call to a js-yaml load function (load, loadAll, safeLoad, safeLoadAll) on attacker-controlled input is affected. Manual Review Advice: A vulnerability from this advisory is reachable if you are using Fix: Upgrade this library to at least version 3.13.0 at react-redux-embedded-login/package-lock.json:4633. Reference(s): GHSA-2pr6-76vf-7546 Semgrep found 2 Risk: Affected versions of js-yaml are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). js-yaml is vulnerable to prototype pollution through its YAML merge key ( Manual Review Advice: A vulnerability from this advisory is reachable if you are using Fix: Upgrade this library to at least version 3.14.2 at react-redux-embedded-login/package-lock.json:4633. Reference(s): GHSA-mh29-5h37-fv8m, CVE-2025-64718 Semgrep found 1 Risk: Affected versions of webpack-dev-server are vulnerable to Exposed Dangerous Method or Function. webpack-dev-server serves bundled assets without rejecting cross-origin classic script requests. Because such Manual Review Advice: A vulnerability from this advisory is reachable if you are using Fix: Upgrade this library to at least version 5.2.1 at react-redux-embedded-login/package-lock.json:14938. Reference(s): GHSA-4v9v-hfq4-rm2v, CVE-2025-30359 Semgrep found 1 Risk: Affected versions of webpack-dev-server are vulnerable to Origin Validation Error. webpack-dev-server improperly validates the WebSocket connection Origin header, unconditionally accepting any IP-address-based Origin. A malicious website can perform a cross-site WebSocket hijack against a running dev server and exfiltrate the developer source code carried in Hot Module Reloading (HMR) messages. The insecure origin check is the package default and is reached on every WebSocket connection, so any project running an affected version is vulnerable. Manual Review Advice: A vulnerability from this advisory is reachable if you are using Fix: Upgrade this library to at least version 5.2.1 at react-redux-embedded-login/package-lock.json:14938. Reference(s): GHSA-9jgg-88mc-972h, CVE-2025-30360 Semgrep found 1 Risk: Affected versions of bootstrap are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's collapse plugin passes the Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:1882. Reference(s): GHSA-3wqf-4x89-9g79, CVE-2018-14040 Semgrep found 1 Risk: Affected versions of bootstrap and bootstrap-sass are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's JavaScript plugins (Alert, Carousel, Collapse, Dropdown, Modal, Tab) pass the Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:1882. Reference(s): GHSA-4p24-vmcr-4gqj, CVE-2016-10735 Semgrep found 1 Risk: Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise. Fix: Upgrade this library to at least version 0.31.0 at react-redux-embedded-login/package-lock.json:706. Reference(s): GHSA-fvcv-3m26-pcqx, CVE-2026-40175 Semgrep found 1 Risk: Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying Manual Review Advice: A vulnerability from this advisory is reachable if you have Fix: Upgrade this library to at least version 0.31.0 at react-redux-embedded-login/package-lock.json:706. Reference(s): GHSA-3p68-rc4w-qgx5, CVE-2025-62718 Semgrep found 1 Risk: Affected versions of axios are vulnerable to Inefficient Regular Expression Complexity / Uncontrolled Resource Consumption. axios is vulnerable to a regular expression denial of service (ReDoS). The internal Manual Review Advice: A vulnerability from this advisory is reachable if you are using axios in browser with untrusted Fix: Upgrade this library to at least version 0.32.0 at react-redux-embedded-login/package-lock.json:706. Reference(s): GHSA-hfxv-24rg-xrqf Semgrep found 1 Risk: Affected versions of handlebars are vulnerable to Improper Control of Generation of Code ('Code Injection') / Improper Encoding or Escaping of Output / Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The Handlebars CLI precompiler allows arbitrary JavaScript injection by embedding unescaped template filenames and CLI option values such as Manual Review Advice: A vulnerability from this advisory is reachable if you execute templates through the Handlebars CLI precompiler Fix: Upgrade this library to at least version 4.7.9 at react-redux-embedded-login/package-lock.json:5859. Reference(s): GHSA-xjpj-3mr7-gcpf, CVE-2026-33941 Semgrep found 1 Risk: Affected versions of acorn are vulnerable to Uncontrolled Resource Consumption. A regular-expression denial-of-service exists in Acorn's RegExp parser: a pattern like Manual Review Advice: A vulnerability from this advisory is reachable if you are using acorn on the CLI Fix: Upgrade this library to at least version 5.7.4 at react-redux-embedded-login/package-lock.json:94. Reference(s): GHSA-6chw-6frg-f759 Semgrep found 1 Risk: Affected versions of webpack-dev-server are vulnerable to Improper Input Validation. Missing origin validation on webpack-dev-server's Hot Module Replacement websocket allows any webpage to connect to the dev server's socket, access in‐memory compiled assets and source code, and exfiltrate a developer's source files. Manual Review Advice: A vulnerability from this advisory is reachable if you are using Fix: Upgrade this library to at least version 3.1.11 at react-redux-embedded-login/package-lock.json:14938. Reference(s): GHSA-cf66-xwfp-gvc4, CVE-2018-14732 Semgrep found 1 Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js uses a vulnerable regular expression to parse User-Agent headers. A malicious header can trigger catastrophic backtracking in the regex, resulting in prolonged processing times and potential denial of service. Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli Fix: Upgrade this library to at least version 0.7.24 at react-redux-embedded-login/package-lock.json:14363. Reference(s): GHSA-78cj-fxph-m83p, CVE-2021-27292 Semgrep found 1 Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. A specially crafted user agent string can trigger catastrophic backtracking in the regex designed for Redmi Phones and Mi Pad Tablets. This may result in a Regular Expression Denial of Service, causing resource exhaustion when ua-parser-js attempts to parse the malicious input. Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli Fix: Upgrade this library to at least version 0.7.22 at react-redux-embedded-login/package-lock.json:14363. Reference(s): GHSA-662x-fhqg-9p8v, CVE-2020-7733 Semgrep found 1 Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. Maliciously crafted user agent strings can trigger inefficient regex patterns, leading to excessive backtracking and high CPU consumption, which may ultimately cause service degradation or a denial of service. Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli Fix: Upgrade this library to at least version 0.7.23 at react-redux-embedded-login/package-lock.json:14363. Reference(s): GHSA-394c-5j6w-4xmx, CVE-2020-7793 Semgrep found 1 Risk: tmpl versions before 1.0.5 are vulnerable to Uncontrolled Resource Consumption when formatting a string. Fix: Upgrade this library to at least version 1.0.5 at react-redux-embedded-login/package-lock.json:14121. Reference(s): GHSA-jgrx-mgxx-jf9v, CVE-2021-3777 Semgrep found 1 Risk: Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation. Manual Review Advice: A vulnerability from this advisory is reachable if you use Babel to compile untrusted JavaScript Fix: There are no safe versions of this library available for upgrade. Library included at react-redux-embedded-login/package-lock.json:1624. Reference(s): GHSA-67hx-6x53-jw92, CVE-2023-45133 Semgrep found 1 Risk: Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Fix: Upgrade this library to at least version 0.5.1 at react-redux-embedded-login/package-lock.json:3460. Reference(s): GHSA-hr2v-3952-633q, CVE-2018-3750 Semgrep found 2 Risk: Affected versions of set-value and set-value are vulnerable to Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The Fix: Upgrade this library to at least version 2.0.1 at react-redux-embedded-login/package-lock.json:13059. Reference(s): GHSA-4g88-fppr-53pp, CVE-2019-10747 |
Removes tar. It's no longer used after updating ancestor dependency react-scripts. These dependencies need to be updated together.
Removes
tarUpdates
react-scriptsfrom 1.0.13 to 1.1.5Release notes
Sourced from react-scripts's releases.
... (truncated)
Changelog
Sourced from react-scripts's changelog.
... (truncated)
Commits
550fccbBump releaseca88a69Bump versionsca59983Fix link to the article about BEM (#4858)ea7b374add react-testing-library documentation/examples (#4679)8de0412babel-preset-react-app@3.1.2dfbc71cPublish408db51Publishd639e90Work around Jest environment resolving bug (#4247)609aeeaPublishcb1608bAdd troubleshooting for Github Pages (#4197)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.