fixing dependency bot alert

[rsajwani]

Signed-off-by: Rameez Sajwani rameezwazirali@hotmail.com

Fix vulnerability define here
Seeing this warning when we push any PR

git push -u origin vtadmin-package-vulner                 
Enumerating objects: 9, done.
Counting objects: 100% (9/9), done.
Delta compression using up to 10 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 558 bytes | 558.00 KiB/s, done.
Total 5 (delta 3), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (3/3), completed with 3 local objects.
remote: 
remote: Create a pull request for 'vtadmin-package-vulner' on GitHub by visiting:
remote:      https://github.com/planetscale/vitess/pull/new/vtadmin-package-vulner
remote: 
remote: GitHub found 1 vulnerability on planetscale/vitess's default branch (1 high). To find out more, visit:
remote:      https://github.com/planetscale/vitess/security/dependabot/8

I did npm install to fix this issue.

Related Issue(s)

alert

Checklist

• "Backport to:" labels have been added if this change should be back-ported
• Tests were added or are not required
• Documentation was added or is not required

Deployment Notes

[vitess-bot]

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

• Ensure that the Pull Request has a descriptive title.
• If this is a change that users need to know about, please apply the release notes (needs details) label so that merging is blocked unless the summary release notes document is included.
• If a test is added or modified, there should be a documentation on top of the test to explain what the expected behavior is what the test does.

If a new flag is being introduced:

• Is it really necessary to add this flag?
• Flag names should be clear and intuitive (as far as possible)
• Help text should be descriptive.
• Flag names should use dashes (-) as word separators rather than underscores (_).

If a workflow is added or modified:

• Each item in Jobs should be named in order to mark it as required.
• If the workflow should be required, the maintainer team should be notified.

Bug fixes

• There should be at least one unit or end-to-end test.
• The Pull Request description should include a link to an issue that describes the bug.

Non-trivial changes

• There should be some code comments as to why things are implemented the way they are.

New/Existing features

• Should be documented, either by modifying the existing documentation or creating new documentation.
• New features should have a link to a feature request issue or an RFC that documents the use cases, corner cases and test cases.

Backward compatibility

• Protobuf changes should be wire-compatible.
• Changes to _vt tables and RPCs need to be backward compatible.
• vtctl command output order should be stable and awk-able.
• RPC changes should be compatible with vitess-operator
• If a flag is removed, then it should also be removed from VTop, if used there.

[dbussink]

I don't think this is the right way to fix it. It looks like the dependency resolving was manually modified which isn't correct.

We either need to explicitly force this dependency to a later version using something like https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides, or move away from create-react-app.

This specific nth-check issue is not really a pressing security issue (see facebook/create-react-app#11174), but the bigger concern is that the project seems to be entirely unmaintained. So we should probably switch away from that for that reason and use something like Vite instead.

Also cc @notfelineit since in another PR we also talked about upgrading things in general, so maybe we should bite the bullet and move to Vite as well then all in 1 go.

[dbussink]

We either need to explicitly force this dependency to a later version using something like https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

#12270 uses the override to get rid of the broken dependency. We need to either do that, or move away from create-react-app if we want to address this alert.

I did npm install to fix this issue.

I don't see how this is possible. The changes here show that for an existing package, the dependency was overwritten which is only possible if you manually change the package-lock.json. It's also visible that when you remove package-lock.json and then npm install again, the changes in this PR are gone.

[rsajwani]

@dbussink , should I close this PR then given you mention this is not the right way to resolve this dependency

[rsajwani]

closing this PR in favor of #12270