Critical Vulnerability in @expo/webpack-config

[schlosser]

Summary

yarn audit shows https://www.npmjs.com/advisories/1005029 as a critical vulnerability, due to an old version of react-dev-utils.

Environment

 Expo CLI 5.1.2 environment info:
    System:
      OS: macOS 12.1
      Shell: 5.8 - /bin/zsh
    Binaries:
      Node: 16.13.0 - ~/.nvm/versions/node/v16.13.0/bin/node
      Yarn: 1.22.10 - /usr/local/bin/yarn
      npm: 8.1.4 - /opt/homebrew/bin/npm
    Managers:
      CocoaPods: 1.10.2 - /usr/local/bin/pod
    IDEs:
      Xcode: /undefined - /usr/bin/xcodebuild
    npmPackages:
      react: ^17.0.2 => 17.0.2
      react-dom: ^17.0.2 => 17.0.2
      react-native-web: ^0.17.1 => 0.17.5
    Expo Workflow: managed

Please specify your device/emulator/simulator platform, model and version

N/A

Error output

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in immer                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=9.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @expo/next-adapter                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @expo/next-adapter > @expo/webpack-config > react-dev-utils  │
│               │ > immer                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1005029                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

as well as

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in simple-plist                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ simple-plist                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @expo/next-adapter                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @expo/next-adapter > @expo/webpack-config > @expo/config >   │
│               │ @expo/config-plugins > xcode > simple-plist                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1067309                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Reproducible demo or steps to reproduce from a blank project

yarn audit

[mcsky]

There are more vulnerabilities today, see below

node-forge

───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Improper Verification of Cryptographic Signature in          │
│               │ `node-forge`                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-forge                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.3.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @expo/webpack-config                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @expo/webpack-config > webpack-dev-server > selfsigned >     │
│               │ node-forge                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1070354                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

browserslist

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service in browserslist         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ browserslist                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.16.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @expo/webpack-config                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @expo/webpack-config > react-dev-utils > browserslist        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1067902                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

ansi-html

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Uncontrolled Resource Consumption in ansi-html               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-html                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.0.8                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @expo/webpack-config                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @expo/webpack-config > webpack-dev-server > ansi-html        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1070006                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

I think there are other outdated dependencies, this list is not exhaustive.

You should consider upgrading webpack and webpack-dev-server (high level vulnerability).

This issue prevents us from using this package, and it is necessary for us to build in web mode. : /

[govind707]

there are more vulnerabilities today

[bobOnGitHub]

Hadn't seen this issue when posted #4570 (comment)
So these issues going on for 6 months. It doesn't look like web on react native / expo is a safe place to be.

[kbrandwijk]

https://overreacted.io/npm-audit-broken-by-design/

Please explain to me how a tool you are running locally compromises the security of your app/web project.

[bobOnGitHub]

@kbrandwijk , Yeah... "safe" also meaning a safe place to be investing time...which admittedly wasn't obvious.

I can't know what exactly webpack is doing with my files - what, if anything it is adding to the possibly tens of thousands of project files I'll end up with to generate the final build so I don't know without a whole lot of effort (that kind of negates the whole point of using the tools) IF what the tools are telling me are critical security issues are in fact going to be security issues. Sure, while I'm working on my machine locally etc. I can carry on .. and get to the next set of issues, but come the time for a release build if npm audit says I have security issues and I can't explain every one of them away then I have a problem.

Bottom line: I should not be seeing this output.

[EvanBacon]

react-dev-utils is no longer used as of #3763