[Snyk] Security upgrade react-scripts from 3.4.1 to 5.0.0#244
[Snyk] Security upgrade react-scripts from 3.4.1 to 5.0.0#244xtremebeing wants to merge 1 commit intodevelopmentfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ELLIPTIC-14908844
There was a problem hiding this comment.
Pull request overview
This PR upgrades react-scripts from version 3.4.1 to 5.0.0 to address a cryptographic vulnerability (SNYK-JS-ELLIPTIC-14908844) with a severity score of 708. However, this is a major version upgrade that introduces breaking changes requiring additional dependency updates.
Changes:
- Upgraded react-scripts from 3.4.1 to 5.0.0 to fix security vulnerability in the elliptic cryptographic library
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "react-paginate": "^6.3.2", | ||
| "react-router-dom": "^5.2.0", | ||
| "react-scripts": "3.4.1", | ||
| "react-scripts": "5.0.0", |
There was a problem hiding this comment.
Upgrading react-scripts to 5.0.0 requires React 17 or higher, but the current project uses React 16.13.1 (line 12). This version mismatch will cause the application to fail. You need to upgrade react and react-dom to at least version 17.0.0 or 18.0.0 to be compatible with react-scripts 5.0.0.
| "react-paginate": "^6.3.2", | ||
| "react-router-dom": "^5.2.0", | ||
| "react-scripts": "3.4.1", | ||
| "react-scripts": "5.0.0", |
There was a problem hiding this comment.
Upgrading react-scripts to 5.0.0 is incompatible with the current React version 16.13.1 specified in this package.json. React-scripts 5.0.0 requires React 17 or higher. This upgrade will cause the application and tests to fail. You must also upgrade react and react-dom to at least version 17.0.0, along with updating @testing-library/react and other testing dependencies to compatible versions.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-ELLIPTIC-14908844
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.