Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nested packaged (with lower package version) of react native (by expo) are vulnerable to security. #26905

Closed
VishalArora7774 opened this issue Oct 18, 2019 · 2 comments
Closed

nested packaged (with lower package version) of react native (by expo) are vulnerable to security. #26905

VishalArora7774 opened this issue Oct 18, 2019 · 2 comments
Labels
Bug Stale There has been a lack of activity on this issue and it may be closed soon.

Comments

@VishalArora7774
Copy link

VishalArora7774 commented Oct 18, 2019
edited
Loading

We are using expo generated project with expo version 33 pointing to react-native version 0.58.9

There are 3 packages inquirer, ws and mem (with low package version) which are dependencies of react-native directly or indirectly, are vulnerable to security. We tried to upgrade these packages but they are still causing same issue (vulnerable to security.). We have tried this with expo latest version 35. Even We tried to use react-native latest version i.e. 0.61.2 directly without expo but the package's version is still the same. For now, to bypass, this We have tried yarn resolutions but this issue is still present. Can anyone please tell us how we can overcome this issue without resolutions

The more info about available issues with these packages are

https://www.sourceclear.com/vulnerability-database/security/sca/vulnerability/sid-5397/summary
https://www.sourceclear.com/vulnerability-database/security/sca/vulnerability/sid-7405/summary
https://www.sourceclear.com/vulnerability-database/security/sca/vulnerability/sid-20567/summary

Expo Version: 33
React Native version: 0.59.8

Steps To Reproduce

  1. Open yarn.lock file
  2. search for inquirer, mem and ws. You will find multiple packages of ws, yargs (having mem package) and inquirer. if you try to upgrade then with yarn upgrade package-name It won't upgrade these packages instead a same package with higher verison

Describe what you expected to happen:

We were expecting that nested packages will update if I try to run yarn upgrade command or yarn.

Snack, code example, screenshot, or link to a repository:
For now, I have added resolutions in package.json file
"resolutions": { "yargs": ">= 13.2.2", "inquirer": ">= 6.4.1", "ws": ">= 5.2.0" }
@stale
Copy link

stale bot commented Jan 16, 2020

Hey there, it looks like there has been no activity on this issue recently. Has the issue been fixed, or does it still require the community's attention? This issue may be closed if no further activity occurs. You may also label this issue as a "Discussion" or add it to the "Backlog" and I will leave it open. Thank you for your contributions.

@stale stale bot added the Stale There has been a lack of activity on this issue and it may be closed soon. label Jan 16, 2020
@stale
Copy link

stale bot commented Jan 24, 2020

Closing this issue after a prolonged period of inactivity. If this issue is still present in the latest release, please feel free to create a new issue with up-to-date information.

@stale stale bot closed this as completed Jan 24, 2020
@facebook facebook locked as resolved and limited conversation to collaborators Jan 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Bug Stale There has been a lack of activity on this issue and it may be closed soon.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VishalArora7774