[RN 0.54.2] OWASP Vulnerabilities due to React Native dependencies

Hello,

It looks like 5 node modules used by React Native fail OWASP. Each of the 5 failing modules is a dependency-of-a-dependency of React Native (most coming from connect).

Solution: React Native need to update their dependencies.

Environment

Environment:
  OS: macOS High Sierra 10.13.3
  Node: 7.10.0
  Yarn: 0.24.6
  npm: 4.2.0
  Watchman: 4.9.0
  Xcode: Xcode 9.2 Build version 9C40b
  Android Studio: 3.0 AI-171.4443003

Packages: (wanted => installed)
  react: 16.2.0 => 16.2.0
  react-native: 0.54.2 => 0.54.2

Expected Behavior

Clean OWASP scan.

Actual Behavior

Import parts in green.

You can see that negotiator is a nested dependency of RN. You can see from the npm ls commands that each of the offending npm modules is a dependency of react-native, e.g.

npm ls negotiator
cnx_react@0.0.1 /Users/Paul/git/MyProject/Project
└─┬ react-native@0.54.2
  └─┬ connect@2.30.2
    ├─┬ compression@1.5.2
    │ └─┬ accepts@1.2.13
    │   └── negotiator@0.5.3
    └─┬ errorhandler@1.4.3
      └─┬ accepts@1.3.5
        └── negotiator@0.6.1

We can see that negotiator is a derived dependency of the connect package that react-native relies on:. connect@2.30.2 relies on:

compression@1.5.2 which relies on accepts@1.2.13 which relies on negotiator@0.5.3 and
errorhandler@1.4.3 which relies on accepts@1.3.4 which relies on negotiator@0.6.1.
Only negotiator@0.5.3 is vulnerable.

If negotiator were a direct dependency of Project, the ls tree would look like this:

npm ls enzyme cnx_react@0.0.1 /Users/Paul/git/MyProject/Project └── enzyme@3.3.0

Steps to Reproduce

Use https://jeremylong.github.io/DependencyCheck/dependency-check-cli/ on a React Native project, source here: https://github.com/jeremylong/DependencyCheck