search

facebook / react-native

A framework for building native applications using React
https://reactnative.dev
MIT License
118.33k stars 24.23k forks source link

CRITICAL: react-native-codegen is using vulnerable colors.js version via jscodeshit #32865

Closed charlie632 closed 2 years ago

charlie632 commented 2 years ago

Description

colors.js version 1.4.2 includes a very serious vulnerability. See: https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

jscodeshift fixes it on 0.13.1 https://github.com/facebook/jscodeshift/commit/7cf9969c1fed3dcf535aebbc9986c32be9214ffc

Can react-native-codeshift bump to the newest version of jscodeshift without any regressions?

https://github.com/facebook/react-native/blob/6be46b0bb59f2d88bc78e9a72db672bd55914fa7/packages/react-native-codegen/package.json#L23

Version

0.66.0

Output of npx react-native info

-

Steps to reproduce

-

Snack, code example, screenshot, or link to a repository

No response

PatrickChoDev commented 2 years ago

You can use peerDependencies field in package.json with

...
"peerDependencies": {
    "colors":"1.4.0",
    "faker":"5.3.3" //If you use it too.
  },
...

then re-run npm install this can solve my problems. :smile: Hope this works on yours... :smile:

shynonagons commented 2 years ago

You can use peerDependencies field in package.json with

...
"peerDependencies": {
    "colors":"1.4.0",
    "faker":"5.3.3" //If you use it too.
  },
...

then re-run npm install this can solve my problems. 😄 Hope this works on yours... 😄

You'll also have to delete your package-lock.json or yarn.lock before installing again

cortinico commented 2 years ago

Fixed in https://github.com/facebook/react-native/commit/c279a186fa610c99a0b7dd8de43ec1752c2ab9fc via https://github.com/facebook/react-native/pull/32905

charlie632 commented 2 years ago

Cool, thanks @cortinico