Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

react-dev-utils uses a vulnerable version of immer as a dependency

See original GitHub issue

Describe the bug

react-dev-utils package uses a vulnerable version (7.0.9) of immer as a dependency.

Here is the GitHub CVE (High Severity) notification for the vulnerability, and here is the commit that has fixed it in the Immer 8.0.1 release earlier today.

react-dev-utils should be updated to use version 8.0.1 of Immer.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:129
  • Comments:41 (10 by maintainers)

github_iconTop GitHub Comments

63reactions
mrwensveencommented, Feb 3, 2021

Thanks for looking at this, I really appreciate the hard work you people are doing!

Note: this will NOT make anybody’s apps vulnerable. This is a development-time only dependency.

Is there a reason it’s not a devDependency?

What I meant is that it is essentially its only used during the build phase of your app, not at runtime. Sorry for phrasing it wrong.

But doesn’t that mean it should be a devDependency?

IMHO there is something seriously wrong with the security audit notifications. I’ve seen it dozens of times:

  1. npm warns about a vulnerability.
  2. developers want to be good citizens and submit a bug.
  3. package maintainers tell them there’s nothing to worry about and leave the end users with alarms going off for weeks.

I think telling users to ignore security warnings is harmful. So either npm shouldn’t warn about irrelevant vulnerabilities, or package maintainers should prioritize security vulnerabilities even if they are irrelevant.

60reactions
gaearoncommented, Feb 18, 2021

Update: the maintainers are planning to release a patch at some point before next week to address this.

Read more comments on GitHub >

github_iconTop Results From Across the Web

My React App has unfixable High Severity warnings, how ...
It looks like it's a dependency issue with immer, react-scripts, and react-dev-tools. ... Path react-scripts > react-dev-utils > immer.
Read more >
react-dev-utils vulnerabilities
version published direct vulnerabilities 12.0.1 12 Apr, 2022 0. C. 0. H. 0. M. 0. L 12.1.0‑next.14 12 Apr, 2022 0. C. 0. H. 0....
Read more >
Security warning on react-dev-utils that depends on immer ...
I noticed from our pipeline that a critical vulnerability has been raised stemming from immer not on the latest version 9.0.6 . immer...
Read more >
npm audit fix 의경우
npm WARN using --force Recommended protections disabled. ... Depends on vulnerable versions of react-dev-utils ... node_modules/immer react-dev-utils ...
Read more >
react-dev-utils | Yarn - Package Manager
We've also updated our templates to use createRoot and relaxed our check for older versions of Create React App. Migrating from 5.0.0 to...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

disable linting on yarn start

Next page

Duplicate Websocket connection only in dev mode