GitHub Dependabot alert: `nth-check is vulnerable to Inefficient Regular Expression Complexity`
GitHub Dependabot alert: `nth-check is vulnerable to Inefficient Regular Expression Complexity`
Matthew C.
—The Problem
When using Create React App to set up a single-page application in React, you may get a GitHub Dependabot security alert, similar to the following notification:
nth-check is vulnerable to Inefficient Regular Expression Complexity Dependabot cannot update nth-check to a non-vulnerable version The latest possible version that can be installed is 1.0.2 because of the following conflicting dependency: react-scripts@4.0.3 requires nth-check@^1.0.2 via a transitive dependency on css-select@2.1.0 The earliest fixed version is 2.0.1.
The Solution
If the problem is in a Create React App React application, you can ignore the warning.
The security alert occurs due to a regular expression denial of service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing specific invalid CSS nth-checks.
The
nth-checklibrary is used to parse and compile:nth-child()and:nth-last-of-type()CSS pseudo-classes.Create React App is a build tool, and
nth-checkis a build-time dependency.
The ReDoS vulnerability isn’t exploitable, as Create React App produces static HTML, CSS, and JavaScript.
Because the HTML, CSS, and JavaScript are static, the vulnerable code isn’t part of the build. You can consider the security notification a false alarm.
Dependabot alerts and npm audits often give false positive security warnings for frontend tooling libraries, as explained in this Create React App GitHub issue.
When using Create React App, you can set the GitHub Dependabot to ignore dependency warnings in the configuration options of a dependabot.yml file.
If, however, you’re using nth-check as a dependency in an app where the vulnerable code could be exposed (such as in a Node.js app), you should update nth-check to version 2.0.1+ and update all packages that depend on the older version of nth-check.
- Sentry BlogHow to identify fetch waterfalls in React
- Syntax.fmReact Server Components
- Syntax.fmWhy the jQuery Creator Uses React and Typescript
- Syntax.fmListen to the Syntax Podcast
- Sentry BlogReact Native Debugging and Error Tracking During App Development
- Syntax.fmDiscussion on building native iOS and Android apps with React Native
- SentryReact Error & Performance Monitoring
- Sentry BlogFixing memoization-breaking re-renders in React
- Listen to the Syntax Podcast
![Syntax.fm logo]()
Tasty treats for web developers brought to you by Sentry. Get tips and tricks from Wes Bos and Scott Tolinski.
SEE EPISODES
Considered “not bad” by 4 million developers and more than 100,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.
A peek at your privacy
Here’s a quick look at how Sentry handles your personal information (PII).
×Who we collect PII from
We collect PII about people browsing our website, users of the Sentry service, prospective customers, and people who otherwise interact with us.
What if my PII is included in data sent to Sentry by a Sentry customer (e.g., someone using Sentry to monitor their app)? In this case you have to contact the Sentry customer (e.g., the maker of the app). We do not control the data that is sent to us through the Sentry service for the purposes of application monitoring.
Am I included?PII we may collect about you
- PII provided by you and related to your
- Account, profile, and login
- Requests and inquiries
- Purchases
- PII collected from your device and usage
- PII collected from third parties (e.g., social media)
How we use your PII
- To operate our site and service
- To protect and improve our site and service
- To provide customer care and support
- To communicate with you
- For other purposes (that we inform you of at collection)
Third parties who receive your PII
We may disclose your PII to the following type of recipients:
- Subsidiaries and other affiliates
- Service providers
- Partners (go-to-market, analytics)
- Third-party platforms (when you connect them to our service)
- Governmental authorities (where necessary)
- An actual or potential buyer
We use cookies (but not for advertising)
- We do not use advertising or targeting cookies
- We use necessary cookies to run and improve our site and service
- You can disable cookies but this can impact your use or access to certain parts of our site and service
Know your rights
You may have the following rights related to your PII:
- Access, correct, and update
- Object to or restrict processing
- Port over
- Opt-out of marketing
- Be forgotten by Sentry
- Withdraw your consent
- Complain about us
If you have any questions or concerns about your privacy at Sentry, please email us at compliance@sentry.io.
If you are a California resident, see our Supplemental notice.