Razzle utilizes vulnerable versions of browserslist and minimatch as nested dependencies, causing security issues. #1927

Shilpashree-BN · 2024-01-23T13:07:33Z

🐛 Bug report

Razzle utilizes vulnerable versions of browserslist and minimatch as nested dependencies, causing security issues.

browserslist:

browserslist is the dependency required by react-dev-utils
react-dev-utils should be 12.0.0 or above to have next non-vulnerable version of browserslist
even the latest version of razzle-dev-utils package uses react-dev-utile of the version ^11.0.0
both react-dev-utils & razzle-dev-utils are required by razzle, even latest version of razzle (4.2.18) uses react-dev-utils: ^11.0.4 & razzle-dev-utils: 4.2.18, which has vulnerable version of browserslist

minimatch:

minimatch is the dependency required by wallby-webpack and recursive-readdir
even the latest version of wallby-webpack (3.9.16) uses non-vulnerable version of minimatch.
minimatch required by recursive-readdir which is required by react-dev-utils which is the dependency of razzle.
To have non vulnerable version of minimatch, react-dev-utils should be updated to 12.0.0, but even the latest version of razzle uses 11.0.4 (not the latest version)

Expecting a way to handle this.