Security Vulnerabilities in the underlying packages to be updated

[iyash1]

In my recent project, I've encountered a flaw highlighted by Veracode static code analysis tool that the underlying libraries in react-scripts are susceptible to various vulnerabilities such as ReDoS, Prototype Pollution, etc. The dependency libraries are serialise-javascript, ajv, sockjs all seeking some recent versions.

serialize-javascript@3.1.0 or above
ajv@6.12.3
sockjs@0.3.20 or above

I propose to update these dependencies for an improved security and reliability.
Also, please update when you are planning to do these changes, if you consider updating them.

This would also help us with our application too and an immediate remediation or help would be much appreciated. Thank you.

[eddiemonge]

this will be fixed in the next release. To test it out https://gist.github.com/iansu/282dbe3d722bd7231fa3224c0f403fa1

[iyash1]

Thank you for the quick response, can you tell me when is the next release? Or share your release plans?

[eps1lon]

Note that you have to regenerate the version of terser-webpack-plugin (^1.4.5) that webpack is using. Otherwise a fresh install of react-scripts@3.4.3 no longer pulls in a vulnerable version of serialize-javascript. This issue can be closed.

[jissv]

Hi, for one of our projects after upgrading react-scripts to the latest version (reacts-scripts@3.4.3), the Veracode static code analysis tool points out that few libraries are vulnerable to uninitialized buffer allocation attacks, prototype pollution,These libraries are given below

ajv@6.11.0 is vulnerable to prototype pollution. By upgrading this to a version >=6.12.4 this issue can be resolved
websocker-driver@0.6.5 is vulnerable to uninitialized buffer allocation attacks. By upgrading this to a version >=0.7.1 this issue can be resolved

Is there any plan to upgrade these packages to improve the security? If yes, could you please update by when these changes could be implemented. Any quick help/support you could provide on this would be much appreciated.

[gaearon]

This is already resolved.