How to fix npm package braces issue with react-scripts v2.1.5 when npm audit does nothing?

  • A+

My NPM package in my react client folder is giving me 63 low vulnerabilities all dealing with the braces package mainly in the jest folder of the react-scripts package of version 2.1.5. NPM Audit fix doesn't work, what do I do?

I've tried downgrading to previous versions of react-scripts, updating braces either through updating the package.json, deleting the package lock, and running npm install again, or running npm update braces, but nothing has worked after 2 hours of fiddling. I've also tried to revert to a previous version of my Github package.json when it was working. I believe it stopped working after I tried to download firebase-ui, but I think it has to do with updating the packages since I've deleted the node modules and npm installing several times.

Here's what my clean package.json that's messing up.

"webpack-dev-server": "3.1.14", "@babel/core": "*", "axios": "*", "body-parser": "*", "bootstrap": "*", "cors": "*", "dotenv": "*", "draft-js": "*", "draft-js-export-html": "*", "errorhandler": "*", "express": "*", "express-session": "*", "history": "*", "jquery": "*", "moment": "*", "mongoose": "*", "morgan": "*", "node-sass-chokidar": "*", "npm-run-all": "*", "path": "*", "query-string": "*", "react": "*", "react-dom": "*", "react-loadable": "*", "react-redux": "*", "react-router-dom": "*", "react-router-redux": "*", "react-scripts": "*", "react-validation": "*", "reactstrap": "*", "recharts": "*", "redux": "*", "redux-logger": "*", "redux-observable": "*", "redux-thunk": "*", "rxjs": "*", "rxjs-compat": "*", "validator": "*" 

And here's the issue I'm getting:

Low Regular Expression Denial of Service

Package braces

Dependency of react-scripts

Path react-scripts > jest > jest-cli > micromatch > braces

More info


I ran npm install braces@2.3.1 and then npm update

That still resulted in the 63 vulnerabilities but it did bring my braces to the current version. So I went through and updated ALL references of braces in the package-lock.json to 2.3.2. I then ran npm update again and when I ran npm audit the vulnerabilities were gone.


:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: