Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential DoS: react-native-vector-icons@6.1.0 › yargs@8.0.2 › os-locale@2.1.0 › mem@1.1.0 #2893

Closed
devproivansurzhenko opened this issue Aug 23, 2019 · 6 comments
Closed

Potential DoS: react-native-vector-icons@6.1.0 › yargs@8.0.2 › os-locale@2.1.0 › mem@1.1.0 #2893

devproivansurzhenko opened this issue Aug 23, 2019 · 6 comments
Assignees
@sankhadeeproy007
Labels
high priority

Comments

@devproivansurzhenko
Copy link

devproivansurzhenko commented Aug 23, 2019
edited
Loading

Hi all,

Just found that: https://snyk.io/test/npm/native-base/2.13.5?tab=issues

(okay, not me; my security reviewer has pushed me :) )

Are there plans to upgrade react-native-vector-icons version at package.json?
@Remigius2011
Copy link

current version of react-native-vector-icons is 6.6.0. would it be possible to upgrade the dependency to the most current version or use a more generic version, like ^6.6.0? I was using react-native-vector-icons@6.6.0 before installing native-base, which caused a downgrade of react-native-vector-icons.

@devproivansurzhenko
Copy link
Author

@Remigius2011 jfyi, i used npm-force-resolutions as a workaround for now.

https://github.com/rogeriochaves/npm-force-resolutions

@Remigius2011
Copy link

sorry, but I'm using yarn. also, just forcing resolution might not work out, because there might be a reason that native-base is not yet upgraded to 6.6.0 or fixing the version in general.

@Remigius2011
Copy link

In yarn, dependency resolution can be controlled using a resolutions field in package.json, in this case as follows:

"resolutions": {
  "react-native-vector-icons": "^6.6.0"
}

I don't know whether this works in all cases (only ran it in the Android emulator so far, and with very few native-base content, actually), but at least it has brought a missing icon back. Still, it would be more than nice to have official support for 6.6.0.

@devproivansurzhenko
Copy link
Author

@Remigius2011 sure, it is just a 'last attempt' to get things done while official support is not released.

In my case, I forced another version of mem since security team did not approve this dependency (caused by react-native-vector-icons@6.1.0 )

@sankhadeeproy007 sankhadeeproy007 self-assigned this Sep 2, 2019
sankhadeeproy007 added a commit that referenced this issue Sep 3, 2019
@sankhadeeproy007
chore(): updates dependencies for RNVI #2893
8685260
cristianoccazinsp pushed a commit to cristianoccazinsp/NativeBase that referenced this issue Sep 17, 2019
@cristianocca
Merge branch 'master' of https://github.com/GeekyAnts/NativeBase into…
2396fc7 
… small-optimizations-rebased

* 'master' of https://github.com/GeekyAnts/NativeBase: (22 commits)
  v2.13.8
  chore(): transpiles changes
  fix(toast): fix top toast on iOS GeekyAnts#2914
  fix(input): fixes fontSize for secureTextEntry
  chore(script): adds prettier only to src files
  fix(warning): fixes picker warning
  fix(): initialPage not working on Android GeekyAnts#2705 (GeekyAnts#2902)
  added missing fullstops and colons (GeekyAnts#2920)
  fix(types): adds keyExtractor props for list
  fix(fonts): adds rubicon fonts
  fix(image): adds image props for image component
  fix(list): adds FlatList types for List component
  chore(): updates issue template
  v2.13.7
  fix(): adds missing robot fonts
  v2.13.6
  chore(): updates yarn lock file
  fix(): removes devdependencies
  chore(): updates dependencies for RNVI GeekyAnts#2893
  chore(): updates color dependency
  ...
@snyk-bot snyk-bot mentioned this issue Mar 23, 2020
Open
@hanykumar
Copy link
Contributor

Hi @devproivansurzhenko , please update Native-Base v2.13.14 and let us know if the issue still persists. Closing for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sankhadeeproy007 sankhadeeproy007

Labels
high priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Remigius2011 @sankhadeeproy007 @hanykumar @devproivansurzhenko