-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deps: upgrade react-dev-utils to get newer immer #14015
Deps: upgrade react-dev-utils to get newer immer #14015
Conversation
👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks! 🙏
Deps: upgrade react-dev-utils to get newer immer
We're on Storybook v6.3.8 and getting |
@timbomckay this should be in |
We just wiped our
When we run Critical This affects the package immer before 9.0.6. A type
confusion vulnerability can lead to a bypass of
CVE-2020-28477 when the user-provided keys used in the path
parameter are arrays. In particular, this bypass is possible
because the condition (p === "__proto__" || p ===
"constructor") in applyPatches_ returns false if p is
['__proto__'] (or ['constructor']). The === operator (strict
equality operator) returns false if the operands have
different type.
Package immer
Patched in 9.0.6
Dependency of @storybook/vue [dev]
Path @storybook/vue > @storybook/core > @storybook/core-server >
@storybook/builder-webpack4 > react-dev-utils > immer
More info https://nodesecurity.io/advisories/184711 Critical This affects the package immer before 9.0.6. A type
confusion vulnerability can lead to a bypass of
CVE-2020-28477 when the user-provided keys used in the path
parameter are arrays. In particular, this bypass is possible
because the condition (p === "__proto__" || p ===
"constructor") in applyPatches_ returns false if p is
['__proto__'] (or ['constructor']). The === operator (strict
equality operator) returns false if the operands have
different type.
Package immer
Patched in 9.0.6
Dependency of @storybook/addon-essentials [dev]
Path @storybook/addon-essentials > @storybook/addon-docs >
@storybook/core > @storybook/core-server >
@storybook/builder-webpack4 > react-dev-utils > immer
More info https://nodesecurity.io/advisories/184711 Critical immer is vulnerable to Improperly Controlled Modification of
Object Prototype Attributes ('Prototype Pollution')
Package immer
Patched in 9.0.6
Dependency of @storybook/vue [dev]
Path @storybook/vue > @storybook/core > @storybook/core-server >
@storybook/builder-webpack4 > react-dev-utils > immer
More info https://nodesecurity.io/advisories/184353 Critical immer is vulnerable to Improperly Controlled Modification of
Object Prototype Attributes ('Prototype Pollution')
Package immer
Patched in 9.0.6
Dependency of @storybook/addon-essentials [dev]
Path @storybook/addon-essentials > @storybook/addon-docs >
@storybook/core > @storybook/core-server >
@storybook/builder-webpack4 > react-dev-utils > immer
More info https://nodesecurity.io/advisories/184353 Which it does appear that Alright, well thanks. Should've dug deeper into this before commenting, as well as posting on the referenced issue haha. Anyways, sorry about that and thanks for the quick reply. |
My understanding is that the update was merged into react-dev-utils, but it hasn't been a new version of 11.x released. Only 12.x prereleases (see here). This comment suggests that this is not as urgent as the audit suggests, since it is only an issue in a dev tool, which I guess isn't used in any way that exposes the vulnerability to untrusted code. |
Issue: #13961
What I did
I upgraded react-dev-utils to the new patch version that includes the
immer
without prototype pollution.How to test
If your answer is yes to any of these, please make sure to include it in your PR.