is it secure to use SKIP_FLIGHT_CHECK=true and openssl-legacy-provider in react script npm start?

Question

I am working on a react app which has old versions of most of the libraries being used in package.json file.

for e.g

"react": "^16.3.1",
"react-scripts": "^3.0.1"
...

While installing packages with the latest version of NodeJS (>18), I got conflict dependencies errors so I used npm install --legacy-peer-deps.

With that my installation was successful, but when I went to run using npm start, it started to give an error related to webpack version 4.42.2.

I did debug and found one solution and updated the script like below,

"start": "cross-env SKIP_FLIGHT_CHECK=true react-scripts --openssl-legacy-provider start"

With the above, it starts running fine.

Now I want to check with this solution are there any changes to the security breach?

Or is it secure in terms of any attacks?

Answer 1

Yes, it does increase the security risks on your app, there's no way to tell if it can cause major issues or not, but it's an additional risk.

As per node documentation, the flag --openssl-legacy-provider enables OpenSSL 3.0 legacy provider. OpenSSL documentation states that:

The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that have been deemed legacy. Such algorithms have commonly fallen out of use, have been deemed insecure by the cryptography community, or something similar.

So to keep you app as secure as possible, you should avoid using the --openssl-legacy-provider flag.