react-scripts package: Resolving vulnerabilities by updating dependencies + .SVG loader bug fix

[HiickFG]

This Pull Request updates the following dependencies from react-scripts to the latest available version while also resolving a bug with .svg loader rules.

This clears high risk and moderate risk vulnerability warnings present when using react-scripts package as detailed below.

UPDATE (Jan 14th, 2025):

I am aware based on topic #11174 that these warnings are just false-positives, since react-scripts is just a build tool. Even if this PR resolves false-positives (and a bug), I reckon it would stop the propagation of issues in this repo related to nth-check and postcss, allowing the maintainers to focus on the more complex problems and keep the repo clean. Below I linked just a few issues that could be closed by this PR.

@svgr/webpack: ^8.1.0 (from ^5.5.0)

• Objective:

Resolves high vulnerability from outdated nth-check package dependency.

• Impacts:

@svgr/webpack appears to be only used on the loading of svg files for react-scripts.

Changing the main version drastically didn't seem to require a change in the syntax for the relevant .svg loading rules. However, I did notice a bug in the process of checking if it would load an SVG icon properly depending on the approach used (as static media through <img> or as a React component through a .js file).

The bug:
When attempting to load an .svg file as a React component, the app was throwing the following error at Run Time:
" Failed to execute 'createElement' on 'Document': The tag name provided ('/static/media/MyUniverse192.d26f326c17598c3c29c571bb371b06c8.svg') is not a valid name. "

Which indicated that it was trying to interpret the svg file without transforming it into a React component as it was not being imported into the webpack @svgr/webpack loader.

The fix:
Further separating the rules into each use case resolved the problem. This enabled better specification of the issuer loading the content: Loading through Javascript/Typescript files would use the webpack loader, whereas the other scenarios would use the normal file-loader instead, treating the SVG as a static media.

resolve-url-loader: ^5.0.0 (from ^4.0.0)

• Objective:

Resolves moderate vulnerability from outdated postcss package dependency.

• Impacts:

No apparent impact in the current react-scripts usage within webpack.config.js file.

Resolves #13671
Resolves #13637
Resolves #13591
Resolves #13564
Resolves #13423
Resolves #13364
Resolves #13351
Resolves #13284
Resolves #13227
Resolves #13059
Resolves #13130
Resolves #12948
Resolves #12778

[facebook-github-bot]

Hi @HiickFG!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at [email protected]. Thanks!

[facebook-github-bot]

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

[Lefeldiman]

Well done @HiickFG!