Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Security Introducing the Practice

Posted by lassek
lassek
8,209 Points

Thousands of vulnerabilities on the lab files...

Running npm install on the lab files reveals thousands of vulnerabilities. Running npm audit fix, automatically fixes most of them, but 462 remains, of which 11 has high severity.

What's your process for updating lab files from a security perspective?

Updating the dependencies in package.json for latest react lib versions fixes it, but I feel this should at the very least have a teachers note, if you're not planning to update the lab files.

"Practice state in React": https://teamtreehouse.com/library/introducing-the-practice-38#questions

AJ Tran
AJ Tran
Treehouse Teacher
AJ Tran
AJ Tran
Treehouse Teacher

Thanks for asking about this, lassek ! I will refer the question to some more people internally so that we can investigate this further. Thank you also for your suggestions.

1 Answer

James Crosslin
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
James Crosslin
Full Stack JavaScript Techdegree Graduate 16,882 Points
James Crosslin
.a{fill-rule:evenodd;}techdegree seal-36
James Crosslin
Full Stack JavaScript Techdegree Graduate 16,882 Points

Here's what I did to fix this problem, because the vulnerabilities are coming from deprecated versions of create-react-app. In my package.json file, I changed my dependency versions to the most current version of React. After doing this, I ended up with only 51 vulnerabilities, and npm audit fix solved all of them. Of course, you can only do this if there aren't breaking changes between the source files and the latest version of dependencies. Thankfully, everything in this project is just based on the standard create-react-app files with no extra dependencies, so there are no breaking changes when we do this. Also, you'll probably have to run npm update when you want to start your development server.

package.json

{
  "name": "practice-state",
  "version": "0.1.0",
  "private": true,
  "dependencies": {
    "react": "^17.0.0",
    "react-dom": "^17.0.0",
    "react-scripts": "^4.0.3"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": "react-app"
  },
  "browserslist": [
    ">0.2%",
    "not dead",
    "not ie <= 11",
    "not op_mini all"
  ]
}
lassek
lassek
8,209 Points

Thanks for sharing; helpful for people unsure how to solve it.

I'm also interested in what policy Teamtreehouse has for these things? I expect teamtreehouses labs to be as safe as one can expect - and I expected much more.

Is this an accident, or they just don't have a process for updating labs from a security perspective?

If they want an easy way out, at least they can add generic very clear update instructions to every single lab where these problems can arise. Pinned security info.