Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest version of react-dev-utils using immer v8.0.1 #11660

Open
nikhithabaker opened this issue Nov 16, 2021 · 17 comments
Open

Latest version of react-dev-utils using immer v8.0.1 #11660

nikhithabaker opened this issue Nov 16, 2021 · 17 comments
Labels
issue: bug report needs triage

Comments

@nikhithabaker
Copy link

when I used react-dev-utils , the version of immer which I got is v8.0.1 instead of v9.0.6, immer of version 8.0.1 which has type confusion vulnerability , it is effecting my work kindly resolve this issue.
@vejandla
Copy link

vejandla commented Nov 17, 2021
edited
Loading

ran into the same issue and reported by security scan. Can we fix this?

immer 8.0.6 has a vulnerability.

@Pjohnsonator
Copy link

This looks like it was addressed 2 months ago and merged into the main branch but without publishing it to npm since react-dev-utils@11.0.4 from 9 months ago.

@katelynsills katelynsills mentioned this issue Nov 18, 2021
Merged
@dimas-b dimas-b mentioned this issue Nov 19, 2021
Closed
@nikhithabaker
Copy link
Author

when are they planning to publish the newer version to npm ?

@carlostxm carlostxm mentioned this issue Nov 22, 2021
Closed
@ajantha-bhat ajantha-bhat mentioned this issue Nov 24, 2021
Closed
@mheob
Copy link

mheob commented Nov 25, 2021
edited
Loading

immer < 9.0.6 has been classified as critical severity. A timely release would be good.

Btw. the used browserslist 4.14.2 is also vulnerable: GHSA-w8qv-6jwh-64r5

@vejandla
Copy link

This has been reported 13 days ago and it is still labeled as needs triage. The bad thing about this is, it was fixed, but not yet released to npm. Appreciate it if it can get some attention from the release team.

@sarahannnicholson sarahannnicholson mentioned this issue Nov 30, 2021
Open
@ewertonsilveira
Copy link

ewertonsilveira commented Dec 1, 2021
edited
Loading

Same for me, dependabot is telling me to upgrade to immer > 9.0.6

image

@joekarasek
Copy link

Would also love to see this get published soon, please and thank you!

@victorfgs
Copy link

Having the same immer alert here. Any news about the release?

@apeiniger
Copy link

Same here

@ayoubelasryRoot
Copy link

same issue here

@dannyskoog
Copy link

same

@jonsalvas
Copy link

jonsalvas commented Dec 7, 2021
edited
Loading

same, but got it fixed with npm and this workaround for now (package.json):


 "scripts": {
    ..
    "preinstall": "npx npm-force-resolutions"
    ..
  },
  
  ..
  
  "devDependencies": {
    "npm-force-resolutions": "0.0.10"
  }

  ..

  "resolutions": {
    "immer": "9.0.6"
  },

  ..

it is bad I know but it is saving me some of my precious time :-)

@jonsalvas jonsalvas mentioned this issue Dec 7, 2021
Closed
@ayoubelasryRoot
Copy link

same, but got it fixed with npm and this workaround for now (package.json):


 "scripts": {
    ..
    "preinstall": "npx npm-force-resolutions"
    ..
  },
  
  ..
  
  "devDependencies": {
    "npm-force-resolutions": "0.0.10"
  }

  ..

  "resolutions": {
    "immer": "9.0.6"
  },

  ..

it is bad I know but it is saving me some of my precious time :-)

Thank you was facing issues trying to use this fix with npm but with yarn it was working fine not sure why.

@ab-smith
Copy link

ab-smith commented Dec 9, 2021

same

@iiLearner
Copy link

is there any ETA?

@MZOG
Copy link

MZOG commented Dec 15, 2021

Any update?

@mheob
Copy link

mheob commented Dec 15, 2021

CRA was updated to v5 yesterday (github.com/facebook/create-react-app/releases/tag/v5.0.0).
With it v12 of the react-dev-utils was also released (www.npmjs.com/package/react-dev-utils).

So it should be fixed now.

@xandris xandris mentioned this issue Dec 22, 2021
Closed
@mikaelkarlsson-se mikaelkarlsson-se mentioned this issue Jan 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests