search

facebook / react

The library for web and native user interfaces.
https://react.dev
MIT License
229.08k stars 46.86k forks source link

[DevTools Bug]: react-devtools depends on vulnerable versions of electron and got #28058

Open eikowagenknecht opened 9 months ago

eikowagenknecht commented 9 months ago

Website or app

https://github.com/facebook/react/blob/main/packages/react-devtools/package.json

Repro steps

electron 23.3.13 has a vulnarability, should be updated to 24+, see links below

# npm audit report

electron  23.0.0-alpha.1 - 23.3.13
Severity: moderate
ASAR Integrity bypass via filetype confusion in electron - https://github.com/advisories/GHSA-7m48-wc93-9g85
fix available via `npm audit fix --force`
Will install react-devtools@4.27.2, which is a breaking change
node_modules/electron
  react-devtools  >=2.1.8
  Depends on vulnerable versions of electron
  Depends on vulnerable versions of update-notifier
  node_modules/react-devtools

Also the used update-notifier relies on a version of got that has vulnerabilities

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install react-devtools@4.27.2, which is a breaking change
node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

How often does this bug happen?

Every time

DevTools package (automated)

No response

DevTools version (automated)

No response

Error message (automated)

No response

Error call stack (automated)

No response

Error component stack (automated)

No response

GitHub query string (automated)

No response

Nathan-Roberts123 commented 9 months ago

I noticed that too when I was installing react-devtools and ran npm audit. I got the same message.

Tarun-Mittal-cell commented 9 months ago

I've reviewed the vulnerabilities for electron and got as outlined in this issue.

I'm ready to update electron to version 24+ and got to a secure version, ensuring all necessary compatibility checks and testing are performed according to the contribution guidelines.

Could you please confirm if this issue is still open for contribution, and if so, may I proceed with working on it?

Thank you!

hoxyq commented 8 months ago

Any contributions are welcomed, please open a PR and mention this issue. To validate your solution, follow these steps:

  1. Run yarn build-for-devtools in the root of a cloned repo
  2. Run yarn build in packages/react-devtools-core
  3. Run yarn start in packages/react-devtools, this should open React DevTools in electron shell, then you can test it with React Native application, or React application in Safari (some changes might be required for this to work, see examples in the repo).