Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
react-dev-utils: Security vulnerability with immer 7.0.9
See original GitHub issueDescribe the bug
Security vulnerability with immer 7.0.9
https://www.npmjs.com/advisories/1603
Actual behavior
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=8.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @storybook/react > react-dev-utils > immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1603 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Reproducible demo
yarn install @storybook/react && yarn audit
Issue Analytics
- State:
- Created 3 years ago
- Reactions:46
- Comments:8 (1 by maintainers)
Top Results From Across the Web
react-dev-utils uses a vulnerable version of immer as ... - GitHub
Describe the bug react-dev-utils package uses a vulnerable version (7.0.9) of immer as a dependency. Here is the GitHub CVE (High Severity) ...
Read more >react-dev-utils - Snyk Vulnerability Database
version published direct vulnerabilities
12.0.1 12 Apr, 2022 0. C. 0. H. 0. M. 0. L
12.1.0‑next.14 12 Apr, 2022 0. C. 0. H. 0....
Read more >My React App has unfixable High Severity warnings, how do I ...
It looks like it's a dependency issue with immer, react-scripts, and react-dev-tools. They say they will try and push out an update this ......
Read more >how to solve critical react scripts vulnerabilities : r/reactjs
move react-scripts to devDependencies. run npm audit --production. ensure nothing critical is there.
Read more >Security warning on react-dev-utils that depends on immer ...
I noticed from our pipeline that a critical vulnerability has been raised stemming from immer not on the latest version 9.0.6 . immer...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@Aleksei-Pankratev-EPAM , from what I understand, it’s create-react-app’s general policy to pin all dependencies to exact versions. That helps make sure that everything keeps working, but (as you said), it has the disadvantage of making it harder to get minor package upgrades for security fixes. In this case, a caret range wouldn’t have helped; create-react-app uses Immer 7.0.9, and the Immer bug was fixed in 8.0.1, which a caret range wouldn’t match (due to potential backward-incompatible changes).
@Pistaco , create-react-app isn’t affected by this particular security issue. So, although there are big advantages to keeping any automated security scanners happy, it’s not an issue if you’re not using Immer yourself.
This is a duplicate of https://github.com/facebook/create-react-app/issues/10411.
Please see the discussion there. In particular, https://github.com/facebook/create-react-app/issues/10411#issuecomment-781399779.