Open abahuja opened 2 years ago
Hey, do we think we could get a look at this?
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ Prototype Pollution in immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=9.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1005029 │
└───────────────┴──────────────────────────────────────────────────────────────┘
@iansu @hasanayan
Hey creators, tagging you because this is a critical vulnerability in react-dev-utils
v11.0.5
I'd appreciate input from someone who is a security expert or at least knows enough to be able to confirm this is a false positive, though in all probability this is just another false positive instance of https://github.com/facebook/create-react-app/issues/11174
Valid workarounds at the time of writing are to see if moving to devDependencies
+ npm audit --production
as per #11174, trying out react-scripts@5.0.0-next.47, or using yarn resolutions or npm-force-resolutions fix it for your use case, e.g. making vulnerability scanners based around yarn audit
or npm audit
(that cannot be switched to npm audit --production
) happy.
@pzrq It is not a false positive, because you do not know how the consumers of the package use it. For example using immer
in production.
This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.
Describe the bug
There was a security bug in immer 8.0.1 and react-dev-utils is now using 9.0.6 but react-dev-utils' version hasn't been bumped ever since, so consumers are still getting the impacted version of immer.
Can we please publish a new version?