Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inflight dependency vulnerable #47866

Open
st-patrick opened this issue Nov 21, 2024 · 0 comments
Open

Inflight dependency vulnerable #47866

st-patrick opened this issue Nov 21, 2024 · 0 comments
Labels
Needs: Triage 🔍

Comments

@st-patrick
Copy link

Description

Hello!

Me, like probably thousands other react-native users, work in a corporate environment where certain automated vulnerability scanners are used to check whether an app is allowed to launch or not.

React-native, through glob, uses the deprecated inflight package which we can not upgrade or easily exchange.

Would someone from the team please give us an official statement here, that the inflight package is not a real security risk and can thus be used even in apps that handle sensitive data?

Since it is a dependency of glob, I am guessing it might only be used at build time? If so, please confirm so we can go on with our lives :)

I have included meaningless reproducible examples, since this isn't that kind of issue.

Thank you!

Steps to reproduce

  1. create a new react native 0.76.2 project
  2. run npm ls inflight
  3. check several websites to realize that inflight has a memory leak issue and has since been deprecated

React Native Version

0.76.2

Affected Platforms

Runtime - Android, Runtime - iOS, Runtime - Web, Runtime - Desktop

Output of npx react-native info

System:
  OS: macOS 15.1
  CPU: (10) arm64 Apple M1 Pro
  Memory: 1.25 GB / 32.00 GB
  Shell:
    version: "5.9"
    path: /bin/zsh
Binaries:
  Node:
    version: 20.12.1
    path: /usr/local/bin/node
  Yarn:
    version: 1.22.22
    path: /usr/local/bin/yarn
  npm:
    version: 10.5.0
    path: /usr/local/bin/npm
  Watchman:
    version: 2024.08.12.00
    path: /opt/homebrew/bin/watchman
Managers:
  CocoaPods:
    version: 1.15.2
    path: /Users/patrick.reinbold/.rbenv/shims/pod
SDKs:
  iOS SDK:
    Platforms:
      - DriverKit 24.1
      - iOS 18.1
      - macOS 15.1
      - tvOS 18.1
      - visionOS 2.1
      - watchOS 11.1
  Android SDK: Not Found
IDEs:
  Android Studio: 2023.2 AI-232.10300.40.2321.11567975
  Xcode:
    version: 16.1/16B40
    path: /usr/bin/xcodebuild
Languages:
  Java: Not Found
  Ruby:
    version: 3.0.7
    path: /Users/patrick.reinbold/.rbenv/shims/ruby
npmPackages:
  "@react-native-community/cli":
    installed: 15.1.2
    wanted: latest
  react:
    installed: 18.3.1
    wanted: 18.3.1
  react-native:
    installed: 0.76.2
    wanted: 0.76.2
  react-native-macos: Not Found
npmGlobalPackages:
  "*react-native*": Not Found
Android:
  hermesEnabled: Not found
  newArchEnabled: Not found
iOS:
  hermesEnabled: Not found
  newArchEnabled: Not found

Stacktrace or Logs

npm audit

Reproducer

https://snack.expo.dev/@patrick.reinbold/trusting-green-macaroni-and-cheese

Screenshots and Videos

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Triage 🔍
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@st-patrick