maxkomarychev / react-native-ultimate-config

Config that works

MIT License

261 stars 31 forks source link

Vulnerable dependency #65

Closed tr3v3r closed 3 years ago

tr3v3r commented 3 years ago

Describe the bug

SAST scanning of our app detected vulnerable dependency:

Description: `handlebars` before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

OS

[x] ios
[x] android

Packages

version of react-native: 0.64.2
version of react-native-ultimate-config: 3.2.3

Additional context

It's critical for us since we can't move to PROD with this issue.

maxkomarychev commented 3 years ago

hi @tr3v3r I'll fix this but FYI: my library has open range dependency spec for handlebars: "^4" and exact version is likely to be determined by your lockfile. I recommend you to review lockfiles in your application and consider upgrading this transitive dependency on your side via npm update or yarn upgrade without changing anything in react-native-ultimate-config.

thanks for the report!

maxkomarychev commented 3 years ago

published as part of 3.4.0

tr3v3r commented 3 years ago

@maxkomarychev thanks for the response, but issue was resolved by updating to the last version of your package ( handlebars also updated ). We can close the issue