Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency vulnerablity in react-scripts #63

Closed
MattRC7 opened this issue Feb 20, 2021 · 3 comments · Fixed by #98
Closed

Dependency vulnerablity in react-scripts #63

MattRC7 opened this issue Feb 20, 2021 · 3 comments · Fixed by #98
Labels
security Site security issues

Comments

@MattRC7
Copy link
Collaborator

MattRC7 commented Feb 20, 2021 

                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > react-dev-utils > immer                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1603                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 2000 scanned packages
  1 vulnerability requires manual review. See the full report for details.

npm audit fix could not resolve the issue, as the dependency is nested. Looks like the react-scripts repo is aware, so we should track that issue and bump the version once it is resolved: facebook/create-react-app#10578
@MattRC7
Copy link
Collaborator Author

MattRC7 commented Feb 20, 2021

Do we want to add a security label?

@j256 j256 added the security Site security issues label Feb 21, 2021
@j256
Copy link
Collaborator

j256 commented Feb 21, 2021

Added security label @MattRC7 .

@dldereklee
Copy link
Contributor

Seems to be resolved in 4.0.3
https://github.com/facebook/create-react-app/releases/tag/v4.0.3

@dldereklee dldereklee mentioned this issue Mar 3, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Site security issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update CRA to 4.0.3 dldereklee/macovidvaccines.com
3 participants
@j256 @MattRC7 @dldereklee