Skip to content

[Snyk] Security upgrade react-native from 0.57.3 to 0.69.12 #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade react-native from 0.57.3 to 0.69.12 #144

wants to merge 1 commit into from

Conversation

titanism
Copy link
Contributor

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • example/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning 
Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
medium severity Improper Handling of Unexpected Data Type
SNYK-JS-ONHEADERS-10773729		   516  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@socket-security Socket Security
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedjson-schema@​0.2.3100256776100
Addedfsevents@​1.2.441259579100
Addedelliptic@​6.4.11002510079100
Added@​babel/​traverse@​7.1.4100257797100
Addedhandlebars@​4.0.121002510083100
Addedget-caller-file@​1.0.31001005576100
Addedjest-regex-util@​23.3.01001005791100
Updatedjest-get-type@​29.6.3 ⏵ 22.4.310010058 -284100
Addedhome-or-tmp@​3.0.01001005876100
Addedarray-equal@​1.0.01001005877100
Addedindexof@​0.0.1881005875100
Addedis-promise@​2.1.01001005878100
Addedget-value@​2.0.61001005881100
Addedis-finite@​1.0.21001005976100
Addedhas@​1.0.31001005976100
Added@​webassemblyjs/​helper-code-frame@​1.7.81001005979100
Addedcopy-descriptor@​0.1.11001006076100
Updated@​webassemblyjs/​helper-api-error@​1.13.2 ⏵ 1.7.81001006080100
Updated@​webassemblyjs/​ieee754@​1.13.2 ⏵ 1.7.81001006180100
Updatedjest-environment-node@​29.7.0 ⏵ 23.4.0100 +110061 -295100
Addedjest@​23.6.01001006196100
Addedhas-ansi@​2.0.01001006179100
Addedjest-resolve-dependencies@​23.6.01001006196100
Addedjest-environment-jsdom@​23.4.01001006195100
Added@​babel/​plugin-transform-regenerator@​7.0.01001006297100
Addedis-generator-fn@​1.0.01001006276100
Addedinvert-kv@​1.0.01001006276100
Added@​babel/​plugin-syntax-class-properties@​7.0.01001006281100
Added@​babel/​plugin-syntax-json-strings@​7.0.01001006281100
Added@​babel/​plugin-syntax-nullish-coalescing-operator@​7.0.01001006281100
Added@​babel/​plugin-syntax-optional-chaining@​7.0.01001006281100
Updated@​babel/​plugin-syntax-dynamic-import@​7.8.3 ⏵ 7.0.0100 +110062 +281100
Updated@​babel/​plugin-syntax-async-generators@​7.8.4 ⏵ 7.0.0100 +110062 +281100
Updated@​babel/​plugin-syntax-object-rest-spread@​7.8.3 ⏵ 7.0.0100 +110062 +281100
See 395 more rows in the dashboard

View full report

@socket-security Socket Security
Copy link

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert (click for details)
Block Critical
fsevents@1.2.4 is Known malware.

Note: This package downloads prebuilt artifacts from a domain which has been compromised. Your system may be infected if you installed this package prior to April 27, 2023

From: example/yarn.locknpm/fsevents@1.2.4

ℹ Read more on: This package | This alert | What is known malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fsevents@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
@babel/traverse@7.1.4 has a Critical CVE.

CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL)

Affected versions: < 7.23.2; >= 8.0.0-alpha.0 < 8.0.0-alpha.4

Patched version: 7.23.2

From: example/yarn.locknpm/@babel/traverse@7.1.4

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/traverse@7.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
babel-traverse@6.26.0 has a Critical CVE.

CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL)

Affected versions: >= 0

Patched version: No patched versions

From: example/yarn.locknpm/babel-template@6.26.0npm/babel-traverse@6.26.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/babel-traverse@6.26.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
elliptic@6.4.1 has a Critical CVE.

CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL)

Affected versions: < 6.6.1

Patched version: 6.6.1

From: example/yarn.locknpm/elliptic@6.4.1

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
fsevents@1.2.4 has a Critical CVE.

CVE: GHSA-8r6j-v8pm-fqw3 Code injection in fsevents (CRITICAL)

Affected versions: < 1.2.11

Patched version: 1.2.11

From: example/yarn.locknpm/fsevents@1.2.4

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fsevents@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
handlebars@4.0.12 has a Critical CVE.

CVE: GHSA-w457-6q6x-cgp9 Prototype Pollution in handlebars (CRITICAL)

Affected versions: >= 4.0.0 < 4.3.0; < 3.0.8

Patched version: 4.3.0

From: example/yarn.locknpm/handlebars@4.0.12

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.0.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
handlebars@4.0.12 has a Critical CVE.

CVE: GHSA-f2jv-r9rf-7988 Remote code execution in handlebars when compiling templates (CRITICAL)

Affected versions: < 4.7.7

Patched version: 4.7.7

From: example/yarn.locknpm/handlebars@4.0.12

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.0.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
handlebars@4.0.12 has a Critical CVE.

CVE: GHSA-765h-qjxv-5f44 Prototype Pollution in handlebars (CRITICAL)

Affected versions: < 4.7.7

Patched version: 4.7.7

From: example/yarn.locknpm/handlebars@4.0.12

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.0.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
json-schema@0.2.3 has a Critical CVE.

CVE: GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution (CRITICAL)

Affected versions: < 0.4.0

Patched version: 0.4.0

From: example/yarn.locknpm/json-schema@0.2.3

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json-schema@0.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
loader-utils@1.1.0 has a Critical CVE.

CVE: GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils (CRITICAL)

Affected versions: >= 2.0.0 < 2.0.3; < 1.4.1

Patched version: 1.4.1

From: example/yarn.locknpm/babel-loader@8.0.4npm/loader-utils@1.1.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/loader-utils@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@titanism @snyk-bot