search

software-mansion / react-native-reanimated

React Native's Animated library reimplemented
https://docs.swmansion.com/react-native-reanimated/
MIT License
8.86k stars 1.29k forks source link

Issues with "react-native-reanimated": "3.0.0-rc.1" - need to use this dependency because of Vulnerable To ReDoS #3679

Closed dah-projects closed 1 year ago

dah-projects commented 1 year ago

Description

Hello,

In npm package react-native-reanimated a vulnerability was found: react-native-reanimated vulnerable to ReDoS. It works just fine with an older version like react-native-reanimated:~2.9.1. I just don't know how bad this vulnerability is to be honest, but I'd rather have a project where I don't get such severity issues when installing dependencies.

So when setting up a fresh project I tried to use this patched dependency, which currently is not useable with @react-navigation/drawer. After running in IOS I get the following error: "can't find variable: _updatePropsPaper." This is in a fresh project, in another project I got a different error: "tried to synchronously call anonymous function from a different thread". So this package is not working well at all.

I've added a simple repo which you can run locally in IOS emulator and to reproduce the problem

image

Steps to reproduce

node -v v16.17.1

  1. Clone: https://github.com/dah-projects/drawer-dep-repro
  2. npm i --force
  3. npx expo start -c --ios

Snack or a link to a repository

https://github.com/dah-projects/drawer-dep-repro

Reanimated version

3.0.0-rc.1

React Native version

0.69.6

Platforms

iOS

JavaScript runtime

No response

Workflow

Expo managed workflow

Architecture

No response

Build type

No response

Device

iOS simulator

Device model

Iphone 12

Acknowledgements

Yes

R4Y-R4Y commented 1 year ago

This happened to me too Had to use the rc version in my project to make the error disappear

dah-projects commented 1 year ago

This happened to me too Had to use the rc version in my project to make the error disappear

Not sure what you mean, you don't get the same error as in my screenshot ("can't find variable: _updatePropsPaper.") when using "react-native-reanimated": "3.0.0-rc.1"?

tomekzaw commented 1 year ago

So this package is not working well at all.

Thanks

can't find variable: _updatePropsPaper

Did you remember to run pod install and build the app for iOS after bumping the version?

Also, please upgrade to 3.0.0-rc.3 which is the latest release.

dah-projects commented 1 year ago

Thanks

Haha sorry, it's working perfectly fine without using > 3.0.0-rc.1. I think it has something to do with react-navigation not working probably with these packages (the drawer uses react-native-reanimated), so maybe I have more luck putting the issue there. What do you think?

Did you remember to run pod install and build the app for iOS after bumping the version?

I'm using expo and from my understanding you don't need to use pod like with the CLI version, correct?

Also, please upgrade to 3.0.0-rc.3 which is the latest release.

When I used that version (or rc.2) my IOS emulator crashes on start and shows a crash report.

Have you tried the github project I mentioned? Because if that works perfectly fine on your end, then I really wanna know your npm, expo, react-native and IOS emulator versions.

tomekzaw commented 1 year ago

@dah-projects

I'm using expo and from my understanding you don't need to use pod like with the CLI version, correct?

If you use Expo managed workflow, then you must use the exact version of Reanimated that Expo SDK was compiled with, otherwise there's a mismatch of JS code and native code that was compiled to Expo binaries. In this case, your JS code (that uses Reanimated 3.0.0-rc.1) tries to call function _updatePropsPaper that doesn't exist, because the native part (2.9.1) injects a function called _updateProps, not _updatePropsPaper.

Also, I think that Expo CLI should somehow warn you that it expects 2.9.1, not 3.0.0-rc.1.

dah-projects commented 1 year ago

@dah-projects

I'm using expo and from my understanding you don't need to use pod like with the CLI version, correct?

If you use Expo managed workflow, then you must use the exact version of Reanimated that Expo SDK was compiled with, otherwise there's a mismatch of JS code and native code that was compiled to Expo binaries. In this case, your JS code (that uses Reanimated 3.0.0-rc.1) tries to call function _updatePropsPaper that doesn't exist, because the native part (2.9.1) injects a function called _updateProps, not _updatePropsPaper.

Also, I think that Expo CLI should somehow warn you that it expects 2.9.1, not 3.0.0-rc.1.

It does indeed, so I basically just have to wait for react-navigation to be compatible with newest versions of react-native-reanimated?

kacperkapusciak commented 1 year ago

Hi @dah-projects 👋

It's not an issue with react-native-reanimated v3 support in react-navigation. You can use Reanimated v3 with the drawer navigator but that's not the problem you're facing.

You're using expo-managed workflow which unless you prebuild your workflow it doesn't support installing custom versions of native packages.

With each Expo SDK (here SDK 46) there's one paired version of Reanimated (here v2.9). Expo authors knew it would be confusing so they created npx expo install command which does the SDK ↔️ package pairing automatically. Docs: https://docs.expo.dev/workflow/using-libraries/#installing-a-third-party-library

TLDR: You can't use Reanimated v3 with Expo SDK 46.

PS: Use npx expo install to install packages in managed workflow

tomekzaw commented 1 year ago

The vulnerability was effectively patched in 3.0.0-rc.1 and 2.10.0.

I've changed the affected versions for this vulnerability in GitHub Advisory Database (https://github.com/advisories/GHSA-2j79-8pqc-r7x6).