Security Audit Failed Due to Moderate Vulnerability in @babel/runtime

[vanGalilea]

We have encountered a security issue related to a vulnerable dependency in react-select. Our security audit failed due to the following moderate vulnerabilities:

Found Vulnerable Advisory Paths:

GHSA-968p-4wvh-cqc8 | react-select > @babel/runtime
GHSA-968p-4wvh-cqc8 | react-select > @emotion/react > @babel/runtime
GHSA-968p-4wvh-cqc8 | react-select > @emotion/react > @emotion/babel-plugin > @babel/runtime
GHSA-968p-4wvh-cqc8 | react-select > @emotion/react > @emotion/babel-plugin > babel-plugin-macros > @babel/runtime
GHSA-968p-4wvh-cqc8 | react-select > react-transition-group > @babel/runtime
GHSA-968p-4wvh-cqc8 | react-select > react-transition-group > dom-helpers > @babel/runtime

Security Advisory:

GHSA-968p-4wvh-cqc8

Steps to Reproduce:

Run yarn audit or npm audit in a project using react-select.
Observe that the security audit fails due to the above vulnerabilities.

Expected Behavior:

Security audit should pass without any vulnerabilities.

Actual Behavior:

Security audit fails with moderate severity vulnerabilities related to @babel/runtime.

Suggested Fix:

Upgrade dependencies in react-select that rely on outdated versions of @babel/runtime. If a fix is available in upstream dependencies, updating the relevant packages may resolve the issue.

Please advise on whether there is an existing fix or if a dependency update is planned in an upcoming release.

Thanks!

[Methuselah96]

You should be able to fix this yourself by deleting your package lock file and node_modules and re-rerunning package installation. This works because the dependency on @babel/runtime is ^7.12.0, so it should choose the most recent version on a fresh install. Feel free to create a PR to bump the dependency here as well.