Security Problem in prop-types@15.6.1

facebook / prop-types

Runtime type checking for React props and similar objects

MIT License

4.48k stars 356 forks source link

Security Problem in prop-types@15.6.1 #182

Closed saostad closed 5 years ago

saostad commented 6 years ago

Hi, Today I checked my application with Snyk.io and I got this error:

> ✗ Medium severity vulnerability found on ua-parser-js@0.7.17

    desc: Regular Expression Denial of Service (ReDoS)
    info: https://snyk.io/vuln/npm:ua-parser-js:20180227
    from: kusa-timesheet-webapp-client@0.1.0 > antd@3.4.5 > rc-dropdown@2.1.2 > rc-trigger@2.3.4 > rc-animate@2.4.4 > prop-types@15.6.1 > fbjs@0.8.16 > ua-parser-js@0.7.17
    Fix: None available. Consider removing this dependency.

fczuardi commented 6 years ago

as a workaround, if using yarn, you can add the following to your package.json:

"resoltions": {
  "ua-parser-js": "^0.7.18"
}

fczuardi commented 6 years ago

but a PR updating this dependency on prop-types should be simple to write too, we should submit one...

fczuardi commented 6 years ago

actually, the patch should be submitted to fbjs, I dont know if there is an open issue for this on that project yet https://github.com/facebook/fbjs/issues

fczuardi commented 6 years ago

:point_up: opened

ljharb commented 5 years ago

fbjs is no longer a dependency of this module.