search

facebookarchive / flux

Application Architecture for Building User Interfaces
https://facebookarchive.github.io/flux/
Other
17.45k stars 3.46k forks source link

CVE-2021-27292: ua-parser-js needs to upgrade to 0.7.24 #519

Closed Kenzku closed 2 years ago

Kenzku commented 3 years ago

Hej,

Our static code scan reports this vulnerability in ua-parser-js used by flux@4.0.1:

├─┬ flux@4.0.1
  │ ├─┬ fbemitter@3.0.0
  │ │ └── fbjs@3.0.0 deduped
  │ └─┬ fbjs@3.0.0
  │   ├─┬ cross-fetch@3.0.6
  │   │ └── node-fetch@2.6.1
  │   ├── fbjs-css-vars@1.0.2
  │   ├── loose-envify@1.4.0 deduped
  │   ├── object-assign@4.1.1 deduped
  │   ├─┬ promise@7.3.1
  │   │ └── asap@2.0.6
  │   ├── setimmediate@1.0.5
  │   └── ua-parser-js@0.7.23   <----

Is there a change to upgrade the Flux with the fix please?

refs:

pastak commented 2 years ago

fbjs has been released v3.0.1 including to update ua-parser-js and this flux also has merged https://github.com/facebook/flux/pull/539 , updating to fbjs@3.0.1.

So please release and publish next version of flux 🙏

yangshun commented 2 years ago

Done - https://github.com/facebook/flux/releases/tag/4.0.3

pastak commented 2 years ago

Thank you so much for your work 👍

Kenzku commented 2 years ago

thanks 🍡