-
-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
react-dev-utils uses a vulnerable version of immer as a dependency #10411
Comments
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Note: this will NOT make anybody's apps vulnerable.
Edit as of 2/3/2021 to clarify things for everyone: This is only used during the build phase of your app. It is not in the webpack bundle. Assuming your app doesn't directly use immer, e.g. you have manually put it in your dependencies, you are fine. |
Is there a reason it's not a devDependency? create-react-app/packages/react-dev-utils/package.json Lines 54 to 83 in dfe2a09
|
What I meant is that it is essentially its only used during the build phase of your app, not at runtime. Sorry for phrasing it wrong. |
when can we expect to have a new release for this fix? this is a high security issue within our project |
Bumping this request, we also have this as a high security vuln in our project and since immer has released the patch, would really appreciate a timely bump in your dependencies. Thank you! |
instead of making demands why don't you submit a patch
|
There's an open PR posted on the day this issue was created at #10412 |
Thanks for looking at this, I really appreciate the hard work you people are doing!
But doesn't that mean it should be a devDependency? IMHO there is something seriously wrong with the security audit notifications. I've seen it dozens of times:
I think telling users to ignore security warnings is harmful. So either npm shouldn't warn about irrelevant vulnerabilities, or package maintainers should prioritize security vulnerabilities even if they are irrelevant. |
If it WAS a |
Yup, at this point I’m inclined to turn it off which defeats the point of what should be a very useful feature. It’s annoying having the main repo page shout at me with nothing I can do about it. |
I understand that An other, more outlandish idea I had, but very much out of scope for this discussion, is to have the ability for packages to specify 'transient devDependencies', meaning that when you devDepend on a package specifying a transient devDependency, that dependency should be treated as a devDependency for your application or package as well. |
Even if it's dev dependency why do we have to stick with the oldest version of immer(1.10.0). Can we not bump up the version? |
What version of react-dev-utils are you using @avbhardwaj? |
@RDIL : Currently I'm using v10.2.1 |
Are you sure? It appears that react-dev-utils is using a way newer build of immer than 1.10.0: https://github.com/facebook/create-react-app/blob/master/packages/react-dev-utils/package.json |
@RDIL : Thanks for the update 👍 , it seems like it has been bumped up in the |
Also the newer version of |
Forgive my ignorance. |
If your project uses a different major version of immer, your package manager should move this version directly into |
We are still getting this issue ever after upgrading to 11.0.2 in our project. Immer dependency is still at 7.0.9. Request the author to please upgrade the immer dependency. |
No, there’s nothing wrong.
The false positive report in this thread has no relation to the bug you are seeing. File a new issue with a reproducing project please. |
To get things moving using |
Resolves #10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Poof, you're unblocked.
|
* Fix noFallthroughCasesInSwitch/jsx object is not extensible (facebook#9921) Co-authored-by: Konstantin Simeonov <kon.simeonov@protonmail.com> * Add logo license to README * Remove trailing space in reportWebVitals.ts (facebook#10040) * docs: add React Testing Library as a library requiring jsdom (facebook#10052) Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> * Increase Workbox's maximumFileSizeToCacheInBytes (facebook#10048) * Create FUNDING.yml * replace inquirer with prompts (facebook#10083) - remove `react-dev-utils/inquirer` public import * Prepare 4.0.1 release * Prepare 4.0.1 release * Publish - cra-template-typescript@1.1.1 - cra-template@1.1.1 - create-react-app@4.0.1 - react-dev-utils@11.0.1 - react-scripts@4.0.1 * chore: bump web-vital dependency version (facebook#10143) * chore: bump typescript version (facebook#10141) Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> * Add TypeScript 4.x as peerDependency to react-scripts(facebook#9964) * remove chalk from formatWebpackMessages (facebook#10198) * Upgrade @svgr/webpack to fix build error (facebook#10213) Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> * Improve vendor chunk names in development (facebook#9569) * Update postcss packages (facebook#10003) Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> * Recovered some integration tests (facebook#10091) * Upgrade sass-loader (facebook#9988) * Move ESLint cache file into node_modules (facebook#9977) Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> * Revert "Update postcss packages" (facebook#10216) This reverts commit 580ed5d. * Remove references to Node 8 (facebook#10214) * fix(react-scripts): add missing peer dependency react and update react-refresh-webpack-plugin (facebook#9872) * Update using-the-public-folder.md (facebook#10314) Some library --> Some libraries * docs: add missing override options for Jest config (facebook#9473) * Fix CI tests (facebook#10217) * appTsConfig immutability handling by immer (facebook#10027) Co-authored-by: mad-jose <joset@yeswearemad.com> * Add support for new BUILD_PATH advanced configuration variable (facebook#8986) * Add opt-out for eslint-webpack-plugin (facebook#10170) * Prepare 4.0.2 release * Publish - cra-template-typescript@1.1.2 - cra-template@1.1.2 - create-react-app@4.0.2 - react-dev-utils@11.0.2 - react-error-overlay@6.0.9 - react-scripts@4.0.2 * tests: update test case to match the description (facebook#10384) * Bump webpack-dev-server 3.11.0 -> 3.11.1 (facebook#10312) Resolves facebook#10084 security vulnerability in websocket-driver library version 0.5.6, imported transitively by sockjs * Upgrade eslint-webpack-plugin to fix opt-out flag (facebook#10590) * update immer to 8.0.1 to address vulnerability (facebook#10412) Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version. * Prepare 4.0.3 release * Update CHANGELOG * Publish - create-react-app@4.0.3 - react-dev-utils@11.0.3 - react-scripts@4.0.3 Co-authored-by: Ryota Murakami <dojce1048@gmail.com> Co-authored-by: Konstantin Simeonov <kon.simeonov@protonmail.com> Co-authored-by: Ian Sutherland <ian@iansutherland.ca> Co-authored-by: sho90 <aznecosann@gmail.com> Co-authored-by: Anyul Rivas <anyulled@gmail.com> Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> Co-authored-by: Jeffrey Posnick <jeffy@google.com> Co-authored-by: Evan Bacon <baconbrix@gmail.com> Co-authored-by: Sahil Purav <sahil5684@gmail.com> Co-authored-by: Hakjoon Sim <trainto@gmail.com> Co-authored-by: Chris Shepherd <chris@chrisshepherd.me> Co-authored-by: Jason Williams <936006+jasonwilliams@users.noreply.github.com> Co-authored-by: Jabran Rafique⚡️ <jabranr@users.noreply.github.com> Co-authored-by: John Ruble <johnruble@gmail.com> Co-authored-by: Morten N.O. Nørgaard Henriksen <morten.n.o.henriksen@icloud.com> Co-authored-by: Sergey Makarov <serega.s.makar@gmail.com> Co-authored-by: EhsanKhaki <ehsankhfr@gmail.com> Co-authored-by: Kristoffer K <merceyz@users.noreply.github.com> Co-authored-by: Aviv Hadar <Avivhdr@gmail.com> Co-authored-by: Tobias Büschel <13087421+tobiasbueschel@users.noreply.github.com> Co-authored-by: mad-jose <44253495+josezone@users.noreply.github.com> Co-authored-by: mad-jose <joset@yeswearemad.com> Co-authored-by: Andrew Hyndman <ajhyndman@hotmail.com> Co-authored-by: Brody McKee <mrmckeb@users.noreply.github.com> Co-authored-by: James George <jamesgeorge998001@gmail.com> Co-authored-by: Dion Woolley <woolley.dion@gmail.com> Co-authored-by: Walker Clem <51654951+wclem4@users.noreply.github.com>
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
This is following up on a vulnerability reported here: https://github.com/glints-dev/glints-aries/security/dependabot/yarn.lock/immer/open See the related discussion here: facebook/create-react-app#10411 From what I found online, this issue is quite irrelevant: facebook/create-react-app#10411 (comment)
This is following up on a vulnerability reported here: https://github.com/glints-dev/glints-aries/security/dependabot/yarn.lock/immer/open See the related discussion here: facebook/create-react-app#10411 From what I found online, this issue is quite irrelevant: facebook/create-react-app#10411 (comment)
Is there any way to do this with NPM? |
Using the npm-force-resolution package , you can change the version of the sub-dependency within npm |
Yep, I'm doing that now with all 5 vulbernable packages:
|
Thanks for the help! I just went through the same issue & this was quite helpful. An updated list of resolutions to patch up current vulnerabilities as of December 2021 was as follows:
|
I tried using both Just to make sure I'm doing it correctly, @cmacdonnacha and @jacraven, you guys are just adding the resolutions' object to package.json and running |
@veller please update your react scripts version if possible, but also keep in mind this isn't going to harm your project, and can safely be ignored. |
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Describe the bug
react-dev-utils
package uses a vulnerable version (7.0.9) of immer as a dependency.Here is the GitHub CVE (High Severity) notification for the vulnerability, and here is the commit that has fixed it in the Immer 8.0.1 release earlier today.
react-dev-utils
should be updated to use version 8.0.1 of Immer.The text was updated successfully, but these errors were encountered: