This repository was archived by the owner on May 20, 2025. It is now read-only.
This repository was archived by the owner on May 20, 2025. It is now read-only.
Upgrade to code-push@2.1.5+ to fix DoS zip attack #1230
Description
This has been addressed by code-push in microsoft/code-push@c6a6f9f. RN-code-push need to catch up on it 😄.
Steps to Reproduce
- Install react-native-code-push@5.3.0
- Run
nsp check
Expected Behavior
No vulnerability found.
Actual Behavior
(+) 1 vulnerability found
┌────────────┬────────────────────────────────────────────────────────────────────┐
│ │ Large gzip Denial of Service │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name │ superagent │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS │ 3.7 (Low) │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed │ 1.8.5 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <3.7.0 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched │ >=3.7.0 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path │ test-react-native-code-push@0.1.0 > react-native-code-push@5.3.0 > │
│ │ code-push@2.0.4 > superagent@1.8.5 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/479 │
└────────────┴────────────────────────────────────────────────────────────────────┘
Environment
- react-native-code-push version: 5.3.0
- react-native version: 0.51.0