Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #29724: ip dependency update for CVE-2024-29415 #29725

Merged
merged 1 commit into from
Jun 5, 2024

Conversation

Rekl0w
Copy link
Contributor

@Rekl0w Rekl0w commented Jun 3, 2024

Summary

This version update of ip dependency solves the CVE-2024-29415 vulnerability.

Copy link

vercel bot commented Jun 3, 2024

@Rekl0w is attempting to deploy a commit to the Meta Open Source Team on Vercel.

A member of the Team first needs to authorize it.

@Rekl0w
Copy link
Contributor Author

Rekl0w commented Jun 5, 2024

Might be important to merge quickly. @rickhanlonii

Copy link
Contributor

@hoxyq hoxyq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@hoxyq hoxyq merged commit 8d87e37 into facebook:main Jun 5, 2024
38 of 39 checks passed
github-actions bot pushed a commit that referenced this pull request Jun 5, 2024
## Summary

This version update of `ip` dependency solves the CVE-2024-29415
vulnerability.

DiffTrain build for commit 8d87e37.
@svozza
Copy link

svozza commented Jun 5, 2024

This won't fix the issue, the CVE still affects v2.0.1 of ip. The package appears to be unmaintained and it's being removed by some big projects, e.g., npm replaced it with ip-address recently: indutny/node-ip#150 (comment).

@hoxyq
Copy link
Contributor

hoxyq commented Jun 5, 2024

This won't fix the issue, the CVE still affects v2.0.1 of ip. The package appears to be unmaintained and it's being removed by some big projects, e.g., npm replaced it with ip-address recently: indutny/node-ip#150 (comment).

Oh, thanks for the context, completely missed this. I will look for other options.

hoxyq added a commit that referenced this pull request Jun 5, 2024
## Summary

There was an attempt to upgrade `ip` to 2.0.1 to mitigate CVE in
#29725 (comment),
but there actually another one CVE in version `2.0.1`. Instead, migrate
to `internal-ip`, which similarly small package that we can use

Note: not upgrading to version 7+, because they are pure ESM.

## How did you test this change?

Validated that standalone version of RDT works and connects to the app.
hoxyq added a commit that referenced this pull request Jun 18, 2024
Full list of changes:

* chore[react-devtools]: improve console arguments formatting before
passing it to original console ([hoxyq](https://github.com/hoxyq) in
[#29873](#29873))
* chore[react-devtools]: unify console patching and default to ansi
escape symbols ([hoxyq](https://github.com/hoxyq) in
[#29869](#29869))
* chore[react-devtools/backend]: remove
consoleManagedByDevToolsDuringStrictMode
([hoxyq](https://github.com/hoxyq) in
[#29856](#29856))
* chore[react-devtools/extensions]: make source maps url relative
([hoxyq](https://github.com/hoxyq) in
[#29886](#29886))
* fix[react-devtools] divided inspecting elements between inspecting do…
([vzaidman](https://github.com/vzaidman) in
[#29885](#29885))
* [Fiber] Create virtual Fiber when an error occurs during reconcilation
([sebmarkbage](https://github.com/sebmarkbage) in
[#29804](#29804))
* fix[react-devtools] component badge in light mode is now not invisible
([vzaidman](https://github.com/vzaidman) in
[#29852](#29852))
* Remove Warning: prefix and toString on console Arguments
([sebmarkbage](https://github.com/sebmarkbage) in
[#29839](#29839))
* Add jest lint rules ([rickhanlonii](https://github.com/rickhanlonii)
in [#29760](#29760))
* [Fiber] Track the Real Fiber for Key Warnings
([sebmarkbage](https://github.com/sebmarkbage) in
[#29791](#29791))
* fix[react-devtools/store-test]: fork the test to represent current be…
([hoxyq](https://github.com/hoxyq) in
[#29777](#29777))
* Default native inspections config false
([vzaidman](https://github.com/vzaidman) in
[#29784](#29784))
* fix[react-devtools] remove native inspection button when it can't be
used ([vzaidman](https://github.com/vzaidman) in
[#29779](#29779))
* chore[react-devtools]: ip => internal-ip
([hoxyq](https://github.com/hoxyq) in
[#29772](#29772))
* Fix #29724: `ip` dependency update for CVE-2024-29415
([Rekl0w](https://github.com/Rekl0w) in
[#29725](#29725))
* cleanup[react-devtools]: remove unused supportsProfiling flag from
store config ([hoxyq](https://github.com/hoxyq) in
[#29193](#29193))
* [Fiber] Enable Native console.createTask Stacks When Available
([sebmarkbage](https://github.com/sebmarkbage) in
[#29223](#29223))
* Move createElement/JSX Warnings into the Renderer
([sebmarkbage](https://github.com/sebmarkbage) in
[#29088](#29088))
* Set the current fiber to the source of the error during error
reporting ([sebmarkbage](https://github.com/sebmarkbage) in
[#29044](#29044))
* Unify ReactFiberCurrentOwner and ReactCurrentFiber
([sebmarkbage](https://github.com/sebmarkbage) in
[#29038](#29038))
* Dim `console` calls on additional Effect invocations due to
`StrictMode` ([eps1lon](https://github.com/eps1lon) in
[#29007](#29007))
* refactor[react-devtools]: rewrite context menus
([hoxyq](https://github.com/hoxyq) in
[#29049](#29049))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants