Vulnerability in react-dev-utils > ... > set-value #11539
Comments
|
This is happening for [critical] Prototype Pollution in immer
[high] Prototype Pollution in set-value
$ npm list immer 1 ↵ 11118 12:49:44 Vulnerability DB / npm / immer@8.0.1 |
|
The issue is that react-dev-utils@11.0.4 pins the version of immer to 8.0.1. So although immer 9.0.6 fixes the vuln, there is no way for us to pull the latest immer in. This PR removed the version pinning, but it does not look like a new build has been pushed to npm. Can you build and deploy a new version? |
|
Hi Team, Any update or ETA on this one? As it's blocking our build pipeline 😭 Thanks |
|
Just to add some urgency to this, it's blocking ours as well. |
|
It's also blocking our pipeline, some update on this critical vulnerability would be great. |
|
This may not viable for most, but if you've already ejected your configs, we found it fairly easy to migrate off this lib entirely. The ejected scripts contain a lot of boilerplate for dealing with all sorts of various configurations, which you can remove whatever does not apply to your setup. Once we did that, we only had a handful of instances referencing this lib. It seems that the react-dev-utils has chosen to create wrappers around third party libs, which makes it look like you're using more of their lib than you really are. Example: https://github.com/facebook/create-react-app/blob/main/packages/react-dev-utils/chalk.js We were able to safely point directly to the third party instead. |
|
As @bradseefeld asked, can you build and deploy a new version of the react-dev-utils package with the dependency pinning removed please? |
|
Well, critical audit issue is not resolved in 25 days and a lot of people rely on this. Sad news. |
|
Any update on this? This is holding up our pipeline as well. We don't want to push with critical vulnerabilities, especially prototype pollution... |
|
Could you please add some urgency to this? |
|
Could you please address this vulnerability issue soon? It also blocks our pipeline. |
|
package.json already have "immer": "^9.0.6" but in npmjs still old version
|
|
This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs. |
|
+1 |
Describe the bug
There is the following dependencies tree:
└─┬ react-dev-utils@11.0.4
└─┬ fork-ts-checker-webpack-plugin@4.1.6
└─┬ micromatch@3.1.10
└─┬ snapdragon@0.8.2
└─┬ base@0.11.2
└─┬ cache-base@1.0.1
├── set-value@2.0.1
└─┬ union-value@1.0.1
└── set-value@2.0.1
When set-value@2.0.1 have the following vulnerability issues:
https://snyk.io/vuln/npm:set-value@2.0.1
Is there a chance that the dependencies can be updated in order to fix the issue?
Did you try recovering your dependencies?
Yes
Environment
current version of create-react-app: 4.0.3
running from /Users/aarshavs/.npm/_npx/97106/lib/node_modules/create-react-app
System:
OS: macOS 11.5
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Binaries:
Node: 14.18.0 - ~/.nvm/versions/node/v14.18.0/bin/node
Yarn: Not Found
npm: 6.14.15 - ~/.nvm/versions/node/v14.18.0/bin/npm
Browsers:
Chrome: 94.0.4606.71
Edge: Not Found
Firefox: 92.0.1
Safari: 14.1.2
npmPackages:
react: ^17.0.2 => 17.0.2
react-dom: ^17.0.2 => 17.0.2
react-scripts: Not Found
npmGlobalPackages:
create-react-app: Not Found
Steps to reproduce
Expected behavior
set-value version will be at least 4.0.1
Actual behavior
set-value version is 2.0.1
The text was updated successfully, but these errors were encountered: