[DevTools Bug]: react-devtools depends on vulnerable versions of electron and got

[eikowagenknecht]

Website or app

https://github.com/facebook/react/blob/main/packages/react-devtools/package.json

Repro steps

electron 23.3.13 has a vulnarability, should be updated to 24+, see links below

# npm audit report

electron  23.0.0-alpha.1 - 23.3.13
Severity: moderate
ASAR Integrity bypass via filetype confusion in electron - https://github.com/advisories/GHSA-7m48-wc93-9g85
fix available via `npm audit fix --force`
Will install react-devtools@4.27.2, which is a breaking change
node_modules/electron
  react-devtools  >=2.1.8
  Depends on vulnerable versions of electron
  Depends on vulnerable versions of update-notifier
  node_modules/react-devtools

Also the used update-notifier relies on a version of got that has vulnerabilities

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install react-devtools@4.27.2, which is a breaking change
node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

How often does this bug happen?

Every time

DevTools package (automated)

No response

DevTools version (automated)

No response

Error message (automated)

No response

Error call stack (automated)

No response

Error component stack (automated)

No response

GitHub query string (automated)

No response

[Nathan-Roberts123]

I noticed that too when I was installing react-devtools and ran npm audit. I got the same message.

[Tarun-Mittal-cell]

I've reviewed the vulnerabilities for electron and got as outlined in this issue.

I'm ready to update electron to version 24+ and got to a secure version, ensuring all necessary compatibility checks and testing are performed according to the contribution guidelines.

Could you please confirm if this issue is still open for contribution, and if so, may I proceed with working on it?

Thank you!

[hoxyq]

Any contributions are welcomed, please open a PR and mention this issue.
To validate your solution, follow these steps:

1. Run yarn build-for-devtools in the root of a cloned repo
2. Run yarn build in packages/react-devtools-core
3. Run yarn start in packages/react-devtools, this should open React DevTools in electron shell, then you can test it with React Native application, or React application in Safari (some changes might be required for this to work, see examples in the repo).