Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High level Arbitrary Command Injection vulnerability #7908

Closed
micheleriso opened this issue Oct 30, 2019 · 1 comment
Closed

High level Arbitrary Command Injection vulnerability #7908

micheleriso opened this issue Oct 30, 2019 · 1 comment
Labels
issue: bug report needs triage

Comments

@micheleriso
Copy link

micheleriso commented Oct 30, 2019
edited
Loading

Describe the bug

Last version of react-dev-utils requires the library open@6.4.0 that has an high level Arbitrary Command Injection vulnerability https://snyk.io/vuln/npm:open:20180512

Did you try recovering your dependencies?

Yes. I updated to latest versions

Which terms did you search for in User Guide?

Environment

Steps to reproduce

(Write your steps here:)

  1. Npm install react-scripts
  2. npm audit

Expected behavior

(Write what you thought would happen.)

Actual behavior

(Write what happened. Please add screenshots!)

Reproducible demo

(Paste the link to an example project and exact instructions to reproduce the issue.)
@heyimalex
Copy link
Contributor

That page says it affects open <6.0.0, but according to what you wrote we depend on 6.4.0.

@andriijas andriijas mentioned this issue Oct 30, 2019
Merged
@lock lock bot locked and limited conversation to collaborators Nov 5, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@micheleriso @heyimalex @ianschmitz