facebook / metro

🚇 The JavaScript bundler for React Native
https://metrobundler.dev
MIT License
5.24k stars 626 forks source link

npm report vulnerabilities on dependency "braces" #358

Open Jonathan0wh opened 5 years ago

Jonathan0wh commented 5 years ago

Do you want to request a feature or report a bug? bug

What is the current behavior? === npm audit security report ===

Low │ Regular Expression Denial of Service │ Package │ braces │ Patched in │ >=2.3.1 │ Dependency of │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ Path │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ │ > metro > jest-haste-map > micromatch > braces │ More info │ https://npmjs.com/advisories/786

Low │ Regular Expression Denial of Service │ Package │ braces │ Patched in │ >=2.3.1 │ Dependency of │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ Path │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ │ > metro > metro-cache > metro-core > jest-haste-map > micromatch > braces
More info │ https://npmjs.com/advisories/786

Low │ Regular Expression Denial of Service │ Package │ braces │ Patched in │ >=2.3.1 │ Dependency of │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ Path │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ │ > metro > metro-config > metro-cache > metro-core > jest-haste-map > micromatch > braces │ More info │ https://npmjs.com/advisories/786

Low │ Regular Expression Denial of Service │ Package │ braces │ Patched in │ >=2.3.1 │ Dependency of │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ Path │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ │ > metro > metro-config > metro-core > jest-haste-map > micromatch > braces
More info │ https://npmjs.com/advisories/786

Low │ Regular Expression Denial of Service │ Package │ braces │ Patched in │ >=2.3.1 │ Dependency of │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │

Path │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ │ > metro > metro-core > jest-haste-map > micromatch > braces │ More info │ https://npmjs.com/advisories/786

Low │ Regular Expression Denial of Service │ Package │ braces │ Patched in │ >=2.3.1 │ Dependency of │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ Path │ 5395c116ad87da5cbe069ce6e2624dfdb903cb8284e1b0d46f6f319cc22… │ │ > metro-core > jest-haste-map > micromatch > braces │ More info │ https://npmjs.com/advisories/786

found 6 low severity vulnerabilities in 19725 scanned packages 6 vulnerabilities require manual review. See the full report for details.

Please provide your exact Metro configuration and mention your Metro, node, yarn/npm version and operating system.

package.json:

{
  "name": "empty-project-template",
  "main": "node_modules/expo/AppEntry.js",
  "private": true,
  "scripts": {
    "start": "expo start",
    "android": "expo start --android",
    "ios": "expo start --ios",
    "eject": "expo eject"
  },
  "dependencies": {
    "expo": "^32.0.6",
    "prop-types": "^15.7.2",
    "react": "16.5.0",
    "react-native": "https://github.com/expo/react-native/archive/sdk-32.0.0.tar.gz",
    "react-native-autolink": "^1.6.0",
    "react-native-datepicker": "^1.7.2",
    "react-native-simple-radio-button": "^2.7.3",
    "react-native-vector-icons": "^6.3.0",
    "react-navigation": "^3.3.0",
    "react-redux": "^6.0.0",
    "redux": "^4.0.1",
    "redux-persist": "^5.10.0",
    "redux-thunk": "^2.3.0"
  },
  "devDependencies": {
    "babel-eslint": "^10.0.1",
    "babel-plugin-module-resolver": "^3.2.0",
    "babel-plugin-transform-react-remove-prop-types": "^0.4.24",
    "eslint": "^5.14.0",
    "eslint-config-prettier": "^3.6.0",
    "eslint-import-resolver-babel-module": "^4.0.0",
    "eslint-plugin-import": "^2.16.0",
    "eslint-plugin-prettier": "^3.0.1",
    "eslint-plugin-react": "^7.12.4",
    "eslint-plugin-react-native": "^3.6.0",
    "prettier": "^1.16.4",
    "redux-devtools": "^3.5.0",
    "redux-devtools-dock-monitor": "^1.1.3",
    "redux-devtools-extension": "^2.13.8",
    "redux-devtools-log-monitor": "^1.4.0"
  }
}
alpha0010 commented 5 years ago

A potential fix would be to publish 0.49.3 with jest 24.0.0 (instead of 24.0.0-alpha.6).