`node-copy-paste` breaks on android (termux)

facebook / create-react-app

Set up a modern web app by running one command.

https://create-react-app.dev

MIT License

102.72k stars 26.86k forks source link

`node-copy-paste` breaks on android (termux) #3837

Closed brysgo closed 6 years ago

brysgo commented 6 years ago

When trying to create a new CRA project on android, node-copy-paste causes a crash because of a platform check.

brysgo commented 6 years ago

Confirmed with yarn link that the above PR fixes this.

gaearon commented 6 years ago

How do we use node-copy-paste?

brysgo commented 6 years ago

Not sure, I can investigate when I get some time.

Timer commented 6 years ago

JHaddad@W10LJHADDADSURF MINGW64 ~/Documents/Development/create-react-app (remove-cssm-docs)
$ yarn why copy-paste
yarn why v1.3.2
[1/4] Why do we have the module "copy-paste"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
info This module exists because "workspace-aggregator-5c248a94-35ae-4f58-8b1e-45e710c97334#create-react-app#envinfo
" depends on it.
Done in 1.06s.

Our new --info flag.

viankakrisna commented 6 years ago

https://github.com/xavi-/node-copy-paste/issues/61 will it affect CRA users?

bondz commented 6 years ago

snyk reports a vulnerability as a result of the module

snyk test create-react-app
✗ Medium severity vulnerability found on sync-exec@0.6.2
- desc: Insecure use of Tmp files
- info: https://snyk.io/vuln/npm:sync-exec:20160124
- from: create-react-app@1.5.0 > envinfo@3.10.0 > copy-paste@1.3.0 > sync-exec@0.6.2
Fix: None available. Consider removing this dependency.

Tested create-react-app for known vulnerabilities, found 1 vulnerability, 1 vulnerable path.

cc @tabrindle

bondz commented 6 years ago

A possible solution is to pin the envinfo version to 3.4.2, the clipboard option that is the cause of this issue and the added vulnerability would be mitigated. We currently do not use the cliboard option anyways.

tabrindle commented 6 years ago

If it's causing problems, it's an easy fix to remove the module upstream in envinfo.

gaearon commented 6 years ago

For now I'll cut a patch to create-react-app with https://github.com/facebookincubator/create-react-app/pull/3853 but happy to merge other solutions later.

gaearon commented 6 years ago

OK, 1.5.1 of the CLI is out and should pin the version. I'll keep this open so somebody can offer a better upstream solution (?)

tabrindle commented 6 years ago

Sorry about this guys.

Seems like there are two problems here - the vulnerability and the incompatibility with Termux - both are fixed by using a different module for envinfo's --clipboard option.

Doesn't look like node-copy-paste is very active, and sync-exec isn't getting fixed. Clipboardy has no known vulnerabilities, advertises compatibility with Termux, and works with node 4.

@brysgo I have pushed a new version of envinfo@3.11.0. Can you confirm that npx envinfo@3.11.0 --clipboard works, or at least does not break in the same place? I've never tested any of these things on Android 😂 Works on MacOS ¯_(ツ)_/¯

@gaearon As soon as we confirm this works, I'll make a PR to update the version of envinfo to 3.11.0.

gaearon commented 6 years ago

No worries, thanks for jumping on it.

brysgo commented 6 years ago

@tabrindle - Here is the output of the above command, doesn't blow up:

Timer commented 6 years ago

Fix up in https://github.com/facebook/create-react-app/pull/3859