Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release react-dev-utils 11.0.5 #11641

Open
abahuja opened this issue Nov 10, 2021 · 7 comments
Open

release react-dev-utils 11.0.5 #11641

abahuja opened this issue Nov 10, 2021 · 7 comments

Comments

@abahuja
Copy link

abahuja commented Nov 10, 2021

Describe the bug

There was a security bug in immer 8.0.1 and react-dev-utils is now using 9.0.6 but react-dev-utils' version hasn't been bumped ever since, so consumers are still getting the impacted version of immer.

Can we please publish a new version?

@benjdlambert
Copy link

Hey, do we think we could get a look at this?

@artola
Copy link

artola commented Nov 26, 2021

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in immer                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=9.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1005029                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

@sarahannnicholson
Copy link

@iansu @hasanayan

Hey creators, tagging you because this is a critical vulnerability in react-dev-utils v11.0.5

GHSA-33f9-j839-rf8h

@sarahannnicholson
Copy link

Dupes:
#11660
#11659
#11539
#11523
#11443

@pzrq
Copy link

pzrq commented Dec 1, 2021

I'd appreciate input from someone who is a security expert or at least knows enough to be able to confirm this is a false positive, though in all probability this is just another false positive instance of #11174

Valid workarounds at the time of writing are to see if moving to devDependencies + npm audit --production as per #11174, trying out react-scripts@5.0.0-next.47, or using yarn resolutions or npm-force-resolutions fix it for your use case, e.g. making vulnerability scanners based around yarn audit or npm audit (that cannot be switched to npm audit --production) happy.

@artola
Copy link

artola commented Dec 2, 2021

@pzrq It is not a false positive, because you do not know how the consumers of the package use it. For example using immer in production.

@stale
Copy link

stale bot commented Jan 8, 2022

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

@stale stale bot added the stale label Jan 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants