Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Another critical vulnerability with immer #11450

Closed
Brycetastic opened this issue Sep 16, 2021 · 8 comments
Closed

Another critical vulnerability with immer #11450

Brycetastic opened this issue Sep 16, 2021 · 8 comments

Comments

@Brycetastic
Copy link

react-dev-utils is using immer 8.0.1 I am receiving critical vulnerability with immer 8.0.1 that is fixed in 9.0.6
@rosbel
Copy link

rosbel commented Sep 17, 2021

This is also affecting our current deployments

@zeina1990
Copy link

Same here, we are also impacted by this

@petetnt
Copy link
Contributor

petetnt commented Sep 18, 2021

Thanks for the report!

PR already pending in #11364, (duplicated in #11444, #11454),

@petetnt petetnt closed this as completed Sep 18, 2021
@cmacdonnacha
Copy link

Hey @petetnt - is there a way to force update this dependency as it's causing dependabot alerts for us.

@angusmccloud
Copy link

@cmacdonnacha - You can use npm-force-resolutions (https://www.npmjs.com/package/npm-force-resolutions) to force a dependency version to change. It can obviously break things, but for situations like this is works well.

@cmacdonnacha
Copy link

@cmacdonnacha - You can use npm-force-resolutions (https://www.npmjs.com/package/npm-force-resolutions) to force a dependency version to change. It can obviously break things, but for situations like this is works well.

Thanks but ansi-html is no longer maintained so people have switched to ansi-html-community. Do you know if there's a way to tell npm-force-resolutions to use a different package when installed ansi-html? That's the biggest issue I think.

@angusmccloud
Copy link

@cmacdonnacha - You can use npm-force-resolutions (https://www.npmjs.com/package/npm-force-resolutions) to force a dependency version to change. It can obviously break things, but for situations like this is works well.

Thanks but ansi-html is no longer maintained so people have switched to ansi-html-community. Do you know if there's a way to tell npm-force-resolutions to use a different package when installed ansi-html? That's the biggest issue I think.

Unfortunately, I don't think so... I think you'd have to create a branch on the repo that uses ansi-html and install that branch.

@cmacdonnacha
Copy link

@cmacdonnacha - You can use npm-force-resolutions (https://www.npmjs.com/package/npm-force-resolutions) to force a dependency version to change. It can obviously break things, but for situations like this is works well.

Thanks but ansi-html is no longer maintained so people have switched to ansi-html-community. Do you know if there's a way to tell npm-force-resolutions to use a different package when installed ansi-html? That's the biggest issue I think.

Unfortunately, I don't think so... I think you'd have to create a branch on the repo that uses ansi-html and install that branch.

Yea I don't think it's worth the risk. No getting around the dependabot alerts so I think I'm just going to have to move to Vite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rosbel @petetnt @cmacdonnacha @Brycetastic @angusmccloud @zeina1990