Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerabilities in the underlying packages to be updated #9447

Closed
iyash1 opened this issue Aug 6, 2020 · 5 comments
Closed

Security Vulnerabilities in the underlying packages to be updated #9447

iyash1 opened this issue Aug 6, 2020 · 5 comments

Comments

@iyash1
Copy link

iyash1 commented Aug 6, 2020

In my recent project, I've encountered a flaw highlighted by Veracode static code analysis tool that the underlying libraries in react-scripts are susceptible to various vulnerabilities such as ReDoS, Prototype Pollution, etc. The dependency libraries are serialise-javascript, ajv, sockjs all seeking some recent versions.

serialize-javascript@3.1.0 or above
ajv@6.12.3
sockjs@0.3.20 or above

I propose to update these dependencies for an improved security and reliability.
Also, please update when you are planning to do these changes, if you consider updating them.

This would also help us with our application too and an immediate remediation or help would be much appreciated. Thank you.

@eddiemonge
Copy link
Contributor

this will be fixed in the next release. To test it out https://gist.github.com/iansu/282dbe3d722bd7231fa3224c0f403fa1

@iyash1
Copy link
Author

iyash1 commented Aug 7, 2020

Thank you for the quick response, can you tell me when is the next release? Or share your release plans?

@eps1lon
Copy link
Contributor

eps1lon commented Sep 28, 2020

Note that you have to regenerate the version of terser-webpack-plugin (^1.4.5) that webpack is using. Otherwise a fresh install of react-scripts@3.4.3 no longer pulls in a vulnerable version of serialize-javascript. This issue can be closed.

@jissv
Copy link

jissv commented Oct 13, 2020

Hi, for one of our projects after upgrading react-scripts to the latest version (reacts-scripts@3.4.3), the Veracode static code analysis tool points out that few libraries are vulnerable to uninitialized buffer allocation attacks, prototype pollution,These libraries are given below

ajv@6.11.0 is vulnerable to prototype pollution. By upgrading this to a version >=6.12.4 this issue can be resolved
websocker-driver@0.6.5 is vulnerable to uninitialized buffer allocation attacks. By upgrading this to a version >=0.7.1 this issue can be resolved

Is there any plan to upgrade these packages to improve the security? If yes, could you please update by when these changes could be implemented. Any quick help/support you could provide on this would be much appreciated.

@gaearon
Copy link
Contributor

gaearon commented Jul 7, 2021

This is already resolved.

@gaearon gaearon closed this as completed Jul 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants