Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

react-dev-utils: Prototype Pollution in Immer #11443

Closed
SalGnt-mxm opened this issue Sep 15, 2021 · 6 comments
Closed

react-dev-utils: Prototype Pollution in Immer #11443

SalGnt-mxm opened this issue Sep 15, 2021 · 6 comments
Labels
issue: bug report needs triage

Comments

@SalGnt-mxm
Copy link

SalGnt-mxm commented Sep 15, 2021
edited
Loading

Describe the bug

The react-dev-utils package uses a vulnerable version (v8.0.4) of Immer.

The fix, commit fa671e5, is part of the v9.0.6 release.
The react-dev-utils package should use this specific version of Immer.

GitHub CVE
@SalGnt-mxm SalGnt-mxm mentioned this issue Sep 15, 2021
Closed
@bpod
Copy link

bpod commented Sep 15, 2021
edited
Loading

I'm seeing this issue flagged as a high vulnerability in our pipeline scan as well. However, I don't think this version of immer would ever be included in a final build since its only used by react-scripts.

Either way, Would love to see this addressed, thank you!

@PatrickShaw PatrickShaw mentioned this issue Sep 16, 2021
Merged
@theKashey
Copy link

The problem got multiplied by Storybook and potentially more projects which use react-dev-utils

@erbunao erbunao mentioned this issue Sep 17, 2021
Closed
@timbomckay timbomckay mentioned this issue Sep 17, 2021
Merged
@petetnt petetnt mentioned this issue Sep 18, 2021
Closed
@amoore108 amoore108 mentioned this issue Oct 4, 2021
Merged
7 tasks
@DaisyyKM
Copy link

DaisyyKM commented Oct 7, 2021

Vulnerability is still there because we are not getting the updated version
Linking my comment from PR #11364 (comment)

@feedmypixel feedmypixel mentioned this issue Oct 18, 2021
Closed
2 tasks
@furdzik
Copy link

furdzik commented Nov 3, 2021
edited
Loading

Any update on this?

In my project also [email protected] has immer as dependency but still in version 8.0.1.

@ziaulrehman40
Copy link

This is marked critical, should be fixed on priority

@sarahannnicholson sarahannnicholson mentioned this issue Nov 30, 2021
Open
@hijikiman
Copy link

This problem seems to have been resolved in release 5.0.0

@vutting4221 vutting4221 mentioned this issue Dec 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump Immer to v9.0.6
7 participants
@theKashey @furdzik @ziaulrehman40 @bpod @hijikiman @SalGnt-mxm @DaisyyKM