react-dev-utils uses a vulnerable version of immer as a dependency

[wclem4]

Describe the bug

react-dev-utils package uses a vulnerable version (7.0.9) of immer as a dependency.

Here is the GitHub CVE (High Severity) notification for the vulnerability, and here is the commit that has fixed it in the Immer 8.0.1 release earlier today.

react-dev-utils should be updated to use version 8.0.1 of Immer.

[RDIL]

Note: this will NOT make anybody's apps vulnerable.

This is a development-time only dependency.

Edit as of 2/3/2021 to clarify things for everyone: This is only used during the build phase of your app. It is not in the webpack bundle. Assuming your app doesn't directly use immer, e.g. you have manually put it in your dependencies, you are fine.

[jhockett]

Note: this will NOT make anybody's apps vulnerable. This is a development-time only dependency.

Is there a reason it's not a devDependency?

create-react-app/packages/react-dev-utils/package.json

Lines 54 to 83 in dfe2a09

	"dependencies": {
	"@babel/code-frame": "7.10.4",
	"address": "1.1.2",
	"browserslist": "4.14.2",
	"chalk": "2.4.2",
	"cross-spawn": "7.0.3",
	"detect-port-alt": "1.1.6",
	"escape-string-regexp": "2.0.0",
	"filesize": "6.1.0",
	"find-up": "4.1.0",
	"fork-ts-checker-webpack-plugin": "4.1.6",
	"global-modules": "2.0.0",
	"globby": "11.0.1",
	"gzip-size": "5.1.1",
	"immer": "8.0.1",
	"is-root": "2.1.0",
	"loader-utils": "2.0.0",
	"open": "^7.0.2",
	"pkg-up": "3.1.0",
	"prompts": "2.4.0",
	"react-error-overlay": "^6.0.8",
	"recursive-readdir": "2.2.2",
	"shell-quote": "1.7.2",
	"strip-ansi": "6.0.0",
	"text-table": "0.2.0"
	},
	"devDependencies": {
	"cross-env": "^7.0.2",
	"jest": "26.6.0"
	},

[RDIL]

Note: this will NOT make anybody's apps vulnerable. This is a development-time only dependency.

Is there a reason it's not a devDependency?

create-react-app/packages/react-dev-utils/package.json

Lines 54 to 83 in dfe2a09

	"dependencies": {
	"@babel/code-frame": "7.10.4",
	"address": "1.1.2",
	"browserslist": "4.14.2",
	"chalk": "2.4.2",
	"cross-spawn": "7.0.3",
	"detect-port-alt": "1.1.6",
	"escape-string-regexp": "2.0.0",
	"filesize": "6.1.0",
	"find-up": "4.1.0",
	"fork-ts-checker-webpack-plugin": "4.1.6",
	"global-modules": "2.0.0",
	"globby": "11.0.1",
	"gzip-size": "5.1.1",
	"immer": "8.0.1",
	"is-root": "2.1.0",
	"loader-utils": "2.0.0",
	"open": "^7.0.2",
	"pkg-up": "3.1.0",
	"prompts": "2.4.0",
	"react-error-overlay": "^6.0.8",
	"recursive-readdir": "2.2.2",
	"shell-quote": "1.7.2",
	"strip-ansi": "6.0.0",
	"text-table": "0.2.0"
	},
	"devDependencies": {
	"cross-env": "^7.0.2",
	"jest": "26.6.0"
	},

What I meant is that it is essentially its only used during the build phase of your app, not at runtime. Sorry for phrasing it wrong.

[TianyuHou]

when can we expect to have a new release for this fix? this is a high security issue within our project

[repartay]

Bumping this request, we also have this as a high security vuln in our project and since immer has released the patch, would really appreciate a timely bump in your dependencies. Thank you!