GitHub Dependabot alert: `nth-check is vulnerable to Inefficient Regular Expression Complexity`
Matthew C.
—When using Create React App to set up a single-page application in React, you may get a GitHub Dependabot security alert, similar to the following notification:
nth-check is vulnerable to Inefficient Regular Expression Complexity Dependabot cannot update nth-check to a non-vulnerable version The latest possible version that can be installed is 1.0.2 because of the following conflicting dependency: [email protected] requires nth-check@^1.0.2 via a transitive dependency on [email protected] The earliest fixed version is 2.0.1.
If the problem is in a Create React App React application, you can ignore the warning.
The security alert occurs due to a regular expression denial of service (ReDoS) vulnerability in nth-check
that causes a denial of service when parsing specific invalid CSS nth-checks.
The nth-check
library is used to parse and compile :nth-child()
and :nth-last-of-type()
CSS pseudo-classes.
Create React App is a build tool, and nth-check
is a build-time dependency.
The ReDoS vulnerability isn’t exploitable, as Create React App produces static HTML, CSS, and JavaScript.
Because the HTML, CSS, and JavaScript are static, the vulnerable code isn’t part of the build. You can consider the security notification a false alarm.
Dependabot alerts and npm audits often give false positive security warnings for frontend tooling libraries, as explained in this Create React App GitHub issue.
When using Create React App, you can set the GitHub Dependabot to ignore dependency warnings in the configuration options of a dependabot.yml
file.
If, however, you’re using nth-check
as a dependency in an app where the vulnerable code could be exposed (such as in a Node.js app), you should update nth-check
to version 2.0.1+
and update all packages that depend on the older version of nth-check
.
Tasty treats for web developers brought to you by Sentry. Get tips and tricks from Wes Bos and Scott Tolinski.
SEE EPISODESConsidered “not bad” by 4 million developers and more than 100,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.