Skip to content

Inefficient Regular Expression Complexity in nth-check and PostCSS line return parsing error #4878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rkristelijn opened this issue Apr 22, 2025 · 4 comments
Closed

Inefficient Regular Expression Complexity in nth-check and PostCSS line return parsing error #4878

rkristelijn opened this issue Apr 22, 2025 · 4 comments
Labels
dependencies Update of dependencies scope: toolpad-core Abbreviated to "core"

Comments

@rkristelijn
Copy link
Contributor

rkristelijn commented Apr 22, 2025
edited by github-actions bot
Loading

Steps to reproduce

Steps:

  1. just install toolpad per https://mui.com/toolpad/core/introduction/installation/ npm install @mui/material @mui/icons-material @emotion/react @emotion/styled
  2. run npm audit
❯ npm audit
# npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of resolve-url-loader
          node_modules/react-scripts

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader

8 vulnerabilities (2 moderate, 6 high)

To address all issues (including breaking changes), run:
  npm audit fix --force
❯ npm ls react-script
[email protected] /Users/nlrxk0145/git/hub/react-toolpad
└── (empty)

❯ npm ls nth-check
[email protected] /Users/nlrxk0145/git/hub/react-toolpad
└─┬ [email protected]
  ├─┬ @svgr/[email protected]
  │ └─┬ @svgr/[email protected]
  │   └─┬ [email protected]
  │     └─┬ [email protected]
  │       └── [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected]

Current behavior

No response

Expected behavior

no vulnerability issues

Context

No response

Your environment

npx @mui/envinfo 
  System:
    OS: macOS 15.4.1
  Binaries:
    Node: 22.14.0 - ~/.nvm/versions/node/v22.14.0/bin/node
    npm: 11.1.0 - ~/.nvm/versions/node/v22.14.0/bin/npm
    pnpm: 10.7.1 - ~/.nvm/versions/node/v22.14.0/bin/pnpm
  Browsers:
    Chrome: 135.0.7049.96
    Edge: 135.0.3179.85
    Safari: 18.4
  npmPackages:
    @emotion/react: ^11.14.0 => 11.14.0
    @emotion/styled: ^11.14.0 => 11.14.0
    @mui/core-downloads-tracker:  7.0.2
    @mui/icons-material: ^7.0.2 => 7.0.2
    @mui/material: ^7.0.2 => 7.0.2
    @mui/private-theming:  7.0.2
    @mui/styled-engine:  7.0.2
    @mui/system:  7.0.2
    @mui/types:  7.4.1
    @mui/utils:  7.0.2
    @types/react: ^19.1.2 => 19.1.2
    react: ^19.1.0 => 19.1.0
    react-dom: ^19.1.0 => 19.1.0
    typescript: ^4.9.5 => 4.9.5

Search keywords: nth-check postcss react-scripts
@rkristelijn rkristelijn added the status: waiting for maintainer These issues haven't been looked at yet by a maintainer label Apr 22, 2025
@rkristelijn
Copy link
Contributor Author

adding overrides to package.json solves it for me as a workaround:

package.json:

{
  "...",
  "overrides": {
    "nth-check": "^2.0.1",
    "postcss": "^8.4.31",
    "css-select": "^4.0.0",
    "svgo": "^2.0.0"
  }
}

@Janpot
Copy link
Member

Janpot commented Apr 22, 2025

Can't reproduce, according to your logs these come in through react-scripts. That isn't a dependency that should come in when running npm install @mui/material @mui/icons-material @emotion/react @emotion/styled.

Please run npm why react-scripts to find out why it's installed.

@Janpot Janpot added status: waiting for author Issue with insufficient information and removed status: waiting for maintainer These issues haven't been looked at yet by a maintainer labels Apr 22, 2025
@rkristelijn
Copy link
Contributor Author

npm why react-scripts
[email protected]
node_modules/react-scripts
react-scripts@"5.0.1" from the root project

🙈

@github-actions github-actions bot added status: waiting for maintainer These issues haven't been looked at yet by a maintainer and removed status: waiting for author Issue with insufficient information labels Apr 22, 2025
@github-actions GitHub Actions
Copy link

This issue has been closed. If you have a similar problem but not exactly the same, please open a new issue.
Now, if you have additional information related to this issue or things that could help future readers, feel free to leave a comment.

@github-actions github-actions bot removed the status: waiting for maintainer These issues haven't been looked at yet by a maintainer label Apr 22, 2025
@rkristelijn rkristelijn mentioned this issue Apr 22, 2025
Open
@zannager zannager added dependencies Update of dependencies scope: toolpad-core Abbreviated to "core" labels Apr 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Update of dependencies scope: toolpad-core Abbreviated to "core"
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Janpot @rkristelijn @zannager