Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] patch for react-dev-utils package #28

Closed
notjustinshaw opened this issue Mar 16, 2021 · 0 comments
Closed

[Security] patch for react-dev-utils package #28

notjustinshaw opened this issue Mar 16, 2021 · 0 comments
Labels
P5: Wontfix An issue that will not be fixed under the current project's implementation. Security An issue that relates to a known security problem.
Milestone
v1.0.0-beta

Comments

@notjustinshaw
Copy link
Contributor

On March 11, 2021, we the following message from Github's dependabot:

Screen Shot 2021-03-15 at 6 55 02 PM

The issue was related to the react-dev-utils package which is not used directly by us but rather by a package that we depend on (create-react-app). The issue was described as follows:

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

This bug will be resolved with the next version of the create-react-app package, and only affects clients who use the internal structures of the package (which we do not), so we have muted the notification for now. This issue serves as a reference for future problems if they arise.

You can read more about the issue and fix described at create-react-app#10644
@notjustinshaw notjustinshaw changed the title Security patch [Security] patch for react-dev-utils package Mar 16, 2021
@notjustinshaw notjustinshaw added P5: Wontfix An issue that will not be fixed under the current project's implementation. Security An issue that relates to a known security problem. labels Mar 16, 2021
@notjustinshaw notjustinshaw added this to the v1.0.0-beta milestone Mar 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
P5: Wontfix An issue that will not be fixed under the current project's implementation. Security An issue that relates to a known security problem.
Projects
None yet
Milestone
v1.0.0-beta
Development

No branches or pull requests
1 participant
@notjustinshaw