Security: 4 Electron (react-devtools dep) security advisories

React version: `16.8.6`

There were 4 security issues filed against `electron`, which `react-devtools` has as a dep. The lowest version that fixes all 4 is `7.2.4` but the version requirement of `electron` for `react-devtools` is `^5.0.0`.

I freely admit that a good solution is to install `react-devtools` as a dev dependency, but for "reasons" that does not work for us. There are likely others out there in similar situations.

* [Issue 1](https://github.com/advisories/GHSA-6vrv-94jv-crrg): low
* [Issue 2](https://github.com/advisories/GHSA-h9jc-284h-533g): high
* [Issue 3](https://github.com/advisories/GHSA-f9mq-jph6-9mhm): moderate
* [Issue 4](https://github.com/advisories/GHSA-m93v-9qjc-3g79): high

These were buried deep in the releases so I am including the links here:

[Electron Changelog from 5 -> 6](https://github.com/electron/electron/releases?after=v7.0.0-nightly.20190730)
[Electron Changelog from 6 -> 7](https://github.com/electron/electron/releases?after=v6.1.1)

Thank you so much for any advice that you may be able to provide. Also thank you for all the work that you do. React, it's community, and it's ecosystem are awesome! 😎 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: 4 Electron (react-devtools dep) security advisories #19279

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: 4 Electron (react-devtools dep) security advisories #19279

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions