Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

Security Introducing the Practice

Thousands of vulnerabilities on the lab files...

Running npm install on the lab files reveals thousands of vulnerabilities. Running npm audit fix, automatically fixes most of them, but 462 remains, of which 11 has high severity.

What's your process for updating lab files from a security perspective?

Updating the dependencies in package.json for latest react lib versions fixes it, but I feel this should at the very least have a teachers note, if you're not planning to update the lab files.

"Practice state in React": https://teamtreehouse.com/library/introducing-the-practice-38#questions

AJ Tran
seal-mask
.a{fill-rule:evenodd;}techdegree
AJ Tran
Treehouse Teacher

Thanks for asking about this, lassek ! I will refer the question to some more people internally so that we can investigate this further. Thank you also for your suggestions.

1 Answer

James Crosslin
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
James Crosslin
Full Stack JavaScript Techdegree Graduate 16,756 Points

Here's what I did to fix this problem, because the vulnerabilities are coming from deprecated versions of create-react-app. In my package.json file, I changed my dependency versions to the most current version of React. After doing this, I ended up with only 51 vulnerabilities, and npm audit fix solved all of them. Of course, you can only do this if there aren't breaking changes between the source files and the latest version of dependencies. Thankfully, everything in this project is just based on the standard create-react-app files with no extra dependencies, so there are no breaking changes when we do this. Also, you'll probably have to run npm update when you want to start your development server.

package.json

{
  "name": "practice-state",
  "version": "0.1.0",
  "private": true,
  "dependencies": {
    "react": "^17.0.0",
    "react-dom": "^17.0.0",
    "react-scripts": "^4.0.3"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": "react-app"
  },
  "browserslist": [
    ">0.2%",
    "not dead",
    "not ie <= 11",
    "not op_mini all"
  ]
}

Thanks for sharing; helpful for people unsure how to solve it.

I'm also interested in what policy Teamtreehouse has for these things? I expect teamtreehouses labs to be as safe as one can expect - and I expected much more.

Is this an accident, or they just don't have a process for updating labs from a security perspective?

If they want an easy way out, at least they can add generic very clear update instructions to every single lab where these problems can arise. Pinned security info.