Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump immer version for fixing security issue #10791

Merged
merged 1 commit into from
May 12, 2021

Conversation

shamprasadrh
Copy link
Contributor

Bump immer minor version to fix Prototype Pollution Security issue.

image

Bump immer minor version to fix `Prototype Pollution` Security issue.
@facebook-github-bot
Copy link

Hi @shamprasadrh!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@fb.com. Thanks!

@facebook-github-bot
Copy link

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks!

@k-funk
Copy link

k-funk commented May 7, 2021

@shamprasadrh are you also getting an audit warning for url-parse on 3.4.4? Some bot made this issue, but don't think it will solve my warning in npm audit since it's just a yarn lock.




┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Path traversal                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ url-parse                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server > sockjs-client >         │
│               │ url-parse                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1678                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@k-funk
Copy link

k-funk commented May 7, 2021

The bots are acting weird . Are you a developer? Get Outlook for iOShttps://aka.ms/o0ukef

________________________________ From: Kevin Funk @.> Sent: Saturday, May 8, 2021 12:01:15 AM To: facebook/create-react-app @.> Cc: Subscribed @.***> Subject: Re: [facebook/create-react-app] Bump immer version for fixing security issue (#10791) @shamprasadrhhttps://github.com/shamprasadrh are you also getting an audit warning for url-parse on 3.4.4? Some bot made this issue<#10934>, but don't think it will solve my warning in npm audit since it's just a yarn lock. ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Path traversal │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ url-parse │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ react-scripts │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ react-scripts > webpack-dev-server > sockjs-client > │ │ │ url-parse │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1678 │ └───────────────┴──────────────────────────────────────────────────────────────┘ — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#10791 (comment)>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AS3AD2G4MAEP6J5GANNP6ADTMRIJXANCNFSM42QYSOBQ.

yes, but I have not worked on this repo before.

@shamprasadrh
Copy link
Contributor Author

@shamprasadrh are you also getting an audit warning for url-parse on 3.4.4? Some bot made this issue, but don't think it will solve my warning in npm audit since it's just a yarn lock.




┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Path traversal                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ url-parse                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server > sockjs-client >         │
│               │ url-parse                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1678                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

No I am not getting that issue.

@iansu iansu merged commit 281a868 into facebook:master May 12, 2021
@iansu
Copy link
Contributor

iansu commented May 12, 2021

Thanks!

andriijas pushed a commit that referenced this pull request May 28, 2021
* Revert "Revert "Update postcss packages" (#10216)"

This reverts commit 3968923.

* Revert "Update postcss packages" (#10216)

This reverts commit 580ed5d.

* Update postcss and loader

* Update fork-ts-checker-webpack-plugin@5.2.1

References:
* [hook rename](TypeStrong/fork-ts-checker-webpack-plugin#490)
* [include/exclude](TypeStrong/fork-ts-checker-webpack-plugin#450) and [issue options](https://github.com/TypeStrong/fork-ts-checker-webpack-plugin#issues-options)
* [release notes 5.0.0](https://github.com/TypeStrong/fork-ts-checker-webpack-plugin/releases/tag/v5.0.0)

* Update fork-ts-checker-webpack-plugin 6.0.5

* Add css-minimizer-webpack-plugin@1.1.5 remove

Add css-minimizer-webpack-plugin@1.1.5
Remove optimize-css-assets-webpack-plugin and postcss-safe-parser

References:
* https://webpack.js.org/plugins/css-minimizer-webpack-plugin/

* Add support for Webpack 5 message objects

* Update WebpackManifestPlugin to v3.0.0

* Support both "SingleEntryPlugin" and "EntryPlugin"

* Support Webpack 5 IgnorePlugin signature

Reference:
* https://webpack.js.org/plugins/ignore-plugin/#example-of-ignoring-moment-locales
* #10006

* Update webpack and dev server

* Enable persistent cache

* Fix react-error-overlay webpack

* Fix dev server config

* Remove support for SingleEntryPlugin

* update workbox-webpack-plugin

* Fix post css config

* Comment out WebpackManifestPlugin for now having issues with undefined path

* Add fast refresh entries to ModuleScopePlugin

* Format files

* Remove unused variables in start command

* git ignore tsconfig.tsbuildinfo
supporting incremental typescript builds

* simplify output path

review feedback from @kumarlachhani

* Use asset modules in react-scripts

* Use asset modules in react-error-overlay

* eslint-config-react-app typo fix (#10317)

This just fixes a shell snippet in the readme file for this plugin

* Fix link address (#10907)

Replace the Github home link with a link to the repo's main page or a link to the source (https://github.com/CodeByZach/pace/blob/master/pace.js)

* Bump immer version for fixing security issue (#10791)

Bump immer minor version to fix `Prototype Pollution` Security issue.

* test(create-react-app): add integration tests (#10381)

* Revert "Use asset modules in react-error-overlay"

This reverts commit 952f896.

* Disable broken tests for now

* Revert source-map bump in react-error-overlay

* JSON is using default export

* Webpack config: Remove invalid parser configuration

* Fix issue with ModuleScope and babel runtime

* Fix svgr configuration

* Webpack config svg use file-loader instead of url-loader

* Update postcss-normalize

* Fix asset output name

* Update test matrix using node 12+14

postcss normalize only support node >=12

* Fix file output extension

* Align assetModuleFilename

* pipeline update configuration names

* Add back webpack-manifest-plugin

* Fix kitchen sink get actual href value

.href is prefixed with http://localhost etc.

* Update kitchen sink test to webpack 5 asset modules

* Let webpack handle global this

* Fix eject copy config/webpack/persistentCache folder

* Move tsbuildinfo into cache folder

* Update dependencies

* Update webpack-dev-server to beta.3

* Compilation.modules changed to type Set

reference: comment by @slorber #9994 (comment)

* Format JsonInclusion.js using prettier

* Run prettier on webpack dev server config

* Enable e2e behavior tests using node 12+14

* Comment out e2e behavior tests for now

* Add experimental support for module federation

* Fix missing wds socket path update

accordingly to review by @xiaokekeT

* Revert "Add experimental support for module federation"

This reverts commit 8fdc63b.

Co-authored-by: Ian Schmitz <ianschmitz@gmail.com>
Co-authored-by: jasonwilliams <jase.williams@gmail.com>
Co-authored-by: Joseph Atkins-Turkish <spacerat3004@gmail.com>
Co-authored-by: e-w-h <46170930+e-w-h@users.noreply.github.com>
Co-authored-by: Shamprasad RH <shamprasad.rh@mail.weir>
Co-authored-by: James George <jamesgeorge998001@gmail.com>
wombleton pushed a commit to AurorNZ/create-react-app that referenced this pull request Jun 1, 2021
Bump immer minor version to fix `Prototype Pollution` Security issue.
sumanthratna pushed a commit to sumanthratna/create-react-app that referenced this pull request Aug 4, 2021
Bump immer minor version to fix `Prototype Pollution` Security issue.
abhiisheek pushed a commit to abhiisheek/create-react-app that referenced this pull request May 24, 2023
Bump immer minor version to fix `Prototype Pollution` Security issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants