A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1.
Release Notes
facebook/react-native
### [`v0.64.1`](https://togithub.com/facebook/react-native/releases/tag/v0.64.1)
[Compare Source](https://togithub.com/facebook/react-native/compare/v0.64.0...v0.64.1)
This patch release is specifically targetted towards fixing iOS build problems in Xcode 12.5. If it doesn't help, please refer to [this issue](https://togithub.com/facebook/react-native/issues/31480).
Aside from bumping your version from 0.64.0 to 0.64.1, please check your podfile.lock and make sure that Flipper is on 0.75 or higher, and Flipper-Folly is 2.5.3 or higher; if not, add this line to your podfile (or modify it if you already had it):
use_flipper!('Flipper' => '0.75.1', 'Flipper-Folly' => '2.5.3', 'Flipper-RSocket' => '1.3.1')
After which, do all the classic necessary cleans (node_modules, caches, pod folders, etc)([react-native-clean-project](https://togithub.com/pmadruga/react-native-clean-project) is your ally) then do `yarn install` and a `pod install --repo-update` (if pod install fails on an error about a Flipper package, just remove the relevant lines from the podfile.lock and run the pod install again).
The only other commit picked & released along the Xcode 12.5 fixes is:
- Update validateBaseUrl to use latest regex ([commit](https://togithub.com/facebook/react-native/commit/ca09ae82715e33c9ac77b3fa55495cf84ba891c7)) which fixes CVE-2020-1920, GHSL-2020-293.
***
You can participate in the conversation on the status of this release at [this issue](https://togithub.com/react-native-community/releases/issues/224).
***
To help you upgrade to this version, you can use the [upgrade helper](https://react-native-community.github.io/upgrade-helper/) ⚛️
***
You can find the whole [changelog history](https://togithub.com/react-native-community/react-native-releases/blob/master/CHANGELOG.md) over at `react-native-releases`.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
0.64.0->0.64.1GitHub Vulnerability Alerts
CVE-2020-1920
A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1.
Release Notes
facebook/react-native
### [`v0.64.1`](https://togithub.com/facebook/react-native/releases/tag/v0.64.1) [Compare Source](https://togithub.com/facebook/react-native/compare/v0.64.0...v0.64.1) This patch release is specifically targetted towards fixing iOS build problems in Xcode 12.5. If it doesn't help, please refer to [this issue](https://togithub.com/facebook/react-native/issues/31480). Aside from bumping your version from 0.64.0 to 0.64.1, please check your podfile.lock and make sure that Flipper is on 0.75 or higher, and Flipper-Folly is 2.5.3 or higher; if not, add this line to your podfile (or modify it if you already had it): use_flipper!('Flipper' => '0.75.1', 'Flipper-Folly' => '2.5.3', 'Flipper-RSocket' => '1.3.1') After which, do all the classic necessary cleans (node_modules, caches, pod folders, etc)([react-native-clean-project](https://togithub.com/pmadruga/react-native-clean-project) is your ally) then do `yarn install` and a `pod install --repo-update` (if pod install fails on an error about a Flipper package, just remove the relevant lines from the podfile.lock and run the pod install again). The only other commit picked & released along the Xcode 12.5 fixes is: - Update validateBaseUrl to use latest regex ([commit](https://togithub.com/facebook/react-native/commit/ca09ae82715e33c9ac77b3fa55495cf84ba891c7)) which fixes CVE-2020-1920, GHSL-2020-293. *** You can participate in the conversation on the status of this release at [this issue](https://togithub.com/react-native-community/releases/issues/224). *** To help you upgrade to this version, you can use the [upgrade helper](https://react-native-community.github.io/upgrade-helper/) ⚛️ *** You can find the whole [changelog history](https://togithub.com/react-native-community/react-native-releases/blob/master/CHANGELOG.md) over at `react-native-releases`.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.