Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit reports vulnerability - immer in react-dev-utils #1062

Closed
ccaspers opened this issue Mar 1, 2021 · 5 comments
Closed

npm audit reports vulnerability - immer in react-dev-utils #1062

ccaspers opened this issue Mar 1, 2021 · 5 comments
Labels
bug Something isn't working

Comments

@ccaspers
Copy link

ccaspers commented Mar 1, 2021
edited
Loading

Current behavior

Running npm audit produces an error caused by a transitive dependency of vue styleguidist

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vue-cli-plugin-styleguidist [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vue-cli-plugin-styleguidist > vue-styleguidist >             │
│               │ react-dev-utils > immer                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1603                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

To reproduce

https://github.com/ccaspers/vue-styleguidist-vulnerability

git clone https://github.com/ccaspers/vue-styleguidist-vulnerability.git
cd vue-styleguidist-vulnerability
npm i && npm audit

Expected behavior
Audit doesn't report a security warning.
@elevatebart
Copy link
Member

thank you @ccaspers

@elevatebart elevatebart added the bug Something isn't working label Mar 1, 2021
@mswertz
Copy link

mswertz commented Mar 1, 2021
edited
Loading

I am facing same dependabot alert issue.

Cause seems to be fixed in underlying react-dev-utils ^11.0.2 see facebook/create-react-app#10411
React styleguidist has package ^11.0.0 as dependency see https://github.com/styleguidist/react-styleguidist/blob/master/package.json
So in theory this could be solved by simply rebuild pushing deps to latest, right?

@elevatebart
Copy link
Member

@mswertz I think you are right. Thank you for tracking it down.
I need to check first what the breaking changes are in react-styleguidist 11.
Would you mind creating a PR updating rsg. This would trigger a minimum of automated tests and probably give us a clearer idea of the work to be done.

mswertz added a commit to mswertz/vue-styleguidist that referenced this issue Mar 2, 2021
@mswertz
chore(deps): update react styleguidist to 11.1.5
c13932d 
To address issue vue-styleguidist#1062
@mswertz mswertz mentioned this issue Mar 2, 2021
Closed
@elevatebart
Copy link
Member

I fixed it !!!

@ccaspers
Copy link
Author

Thank you very much :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mswertz @ccaspers @elevatebart