search

facebook / create-react-app

Set up a modern web app by running one command.
https://create-react-app.dev
MIT License
102.71k stars 26.84k forks source link

release react-dev-utils 11.0.5 #11641

Open abahuja opened 2 years ago

abahuja commented 2 years ago

Describe the bug

There was a security bug in immer 8.0.1 and react-dev-utils is now using 9.0.6 but react-dev-utils' version hasn't been bumped ever since, so consumers are still getting the impacted version of immer.

Can we please publish a new version?

benjdlambert commented 2 years ago

Hey, do we think we could get a look at this?

artola commented 2 years ago 
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in immer                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=9.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1005029                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
sarahannnicholson commented 2 years ago

@iansu @hasanayan

Hey creators, tagging you because this is a critical vulnerability in react-dev-utils v11.0.5

https://github.com/advisories/GHSA-33f9-j839-rf8h

sarahannnicholson commented 2 years ago

Dupes: https://github.com/facebook/create-react-app/issues/11660 https://github.com/facebook/create-react-app/issues/11659 https://github.com/facebook/create-react-app/issues/11539 https://github.com/facebook/create-react-app/issues/11523 https://github.com/facebook/create-react-app/issues/11443

pzrq commented 2 years ago

I'd appreciate input from someone who is a security expert or at least knows enough to be able to confirm this is a false positive, though in all probability this is just another false positive instance of https://github.com/facebook/create-react-app/issues/11174

Valid workarounds at the time of writing are to see if moving to devDependencies + npm audit --production as per #11174, trying out react-scripts@5.0.0-next.47, or using yarn resolutions or npm-force-resolutions fix it for your use case, e.g. making vulnerability scanners based around yarn audit or npm audit (that cannot be switched to npm audit --production) happy.

artola commented 2 years ago

@pzrq It is not a false positive, because you do not know how the consumers of the package use it. For example using immer in production.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.