search

microsoft / react-native-code-push

React Native module for CodePush
http://appcenter.ms
Other
8.95k stars 1.46k forks source link

Critical npm vulnerability in `formidable` #2695

Closed dan-trewin closed 4 months ago

dan-trewin commented 5 months ago

Steps to Reproduce

A new critical npm vulnerability is present in npm dep formidable < 3.2.4: https://github.com/advisories/GHSA-8cp3-66vr-3r4c .

react-native-code-push uses a series of deps that depend on superagent versions that depend on formidable < 3.2.4

Really the issue is with code-push and appcenter-file-upload-client but this repo will likely need a release too

See:

Screenshot 2024-04-23 at 10 21 13 AM

Expected Behavior

code-push and appcenter-file-upload-client should be updated to use a newer version of superagent that doesn't depend on formidable < 3.2.4 then react-native-code-push should in turn be updated to use the corresponding new versions so that react-native-code-push doesn't contain a critical vuln

Actual Behavior

Current version of react-native-code-push@8.2.2 contains a critical npm vuln

Final Notes

Just curious if your team is aware of this and working on a fix/when to expect it? Or if anyone has any workarounds in the meantime, those would be appreciated. Thanks, in advance!

DmitriyKirakosyan commented 4 months ago

@dan-trewin , thank you for reporting this issue.

This vulnerability advisory was withdrawn, based on the information from https://github.com/advisories/GHSA-8cp3-66vr-3r4c. npm audit doesn't find any vulnerability in this package either.

dan-trewin commented 4 months ago

@DmitriyKirakosyan Thanks for letting us know. Closing this issue!