-
-
Notifications
You must be signed in to change notification settings - Fork 26.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Critical vulnerability in shell-quote #11608
Comments
Any news of this? As per synk said that it should upgrade the react-script to version 5, but it will break the application. And also I also facing the vulnerability issue in set-value package as well. |
Will you accept a pull request to fix this on versions 3 and 4? I'm trying to remediate the issue in Cypress library and moving to version 5 is a huge change for the application. I'm happy to make the change if you'll release a patch for versions 3 and 4. Usage in |
What's the status of this? |
From what I can tell, the dependency version was bumped in December 2021 (#11624). It looks like it has been propagated into this release https://github.com/facebook/create-react-app/releases/tag/v5.0.1 Unfortunately this is a major version upgrade and may not be trivially compatible with your project. In particular, I am finding this when naively trying to bump the version and build:
|
Any updates here? |
Any updates on this vulnerability ? |
react-dev-utils is using shell-quote 1.7.2 which has a vulnerability that has been fixed in 1.7.3
The text was updated successfully, but these errors were encountered: