Skip to content

[Snyk] Fix for 2 vulnerabilities #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
saurabharch wants to merge 1 commit into
base: next
Choose a base branch
from
Open

[Snyk] Fix for 2 vulnerabilities #117

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions packages/react-scripts/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"html-webpack-plugin": "3.2.0",
"identity-obj-proxy": "3.0.0",
"loader-utils": "^1.1.0",
"jest": "22.4.3",
"jest": "24.0.0",

@gemini-code-assist gemini-code-assist Bot Jan 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Upgrading jest from v22 to v24 introduces breaking changes that are not handled in the codebase.

Specifically, the Jest configuration in scripts/utils/createJestConfig.js uses the setupTestFrameworkScriptFile option. This option was renamed to setupFilesAfterEnv in Jest 24. Without updating the configuration file, the test setup will be broken and tests will likely fail to run correctly.

This change is necessary for Jest 24 compatibility:

// In scripts/utils/createJestConfig.js
// ...
const config = {
  // ...
  setupFilesAfterEnv: setupTestsFile, // Formerly setupTestFrameworkScriptFile
  // ...
};
// ...

Since this automated PR only changes package.json, this required code change is missing.

"mini-css-extract-plugin": "^0.4.0",
"object-assign": "4.1.1",
"postcss-flexbugs-fixes": "3.3.1",
Expand All @@ -67,7 +67,7 @@
"thread-loader": "1.1.5",
"uglifyjs-webpack-plugin": "1.2.5",
"url-loader": "1.0.1",
"webpack": "4.8.3",
"webpack": "5.0.0",

@gemini-code-assist gemini-code-assist Bot Jan 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Upgrading webpack from v4 to v5 is a major undertaking with many breaking changes that are not addressed here. The build will fail with the current configuration.

Here are some of the critical issues that need to be resolved:

  • webpack-dev-server: Version 3.1.4 is incompatible with webpack 5. It must be upgraded to v4.
  • uglifyjs-webpack-plugin: This plugin is deprecated and will not work with webpack 5. The production configuration (webpack.config.prod.js) must be updated to use TerserWebpackPlugin, which is webpack 5's built-in minimizer.
  • Loaders and Plugins: Many of the webpack loaders (file-loader, url-loader, etc.) and plugins (html-webpack-plugin, mini-css-extract-plugin) are on old versions that are likely incompatible with webpack 5 and need to be updated or replaced (e.g., using Asset Modules instead of file-loader/url-loader).
  • Configuration Syntax: The node object for polyfills in webpack configurations is deprecated. This should be migrated to resolve.fallback.

Simply bumping the version number is insufficient and will break the package. A more comprehensive upgrade of the ecosystem is required.

"webpack-dev-server": "3.1.4",
"webpack-manifest-plugin": "2.0.3",
"whatwg-fetch": "2.0.4"
Expand Down