Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical vulnerability in shell-quote #11608

Open
phamik opened this issue Nov 1, 2021 · 6 comments
Open

Critical vulnerability in shell-quote #11608

phamik opened this issue Nov 1, 2021 · 6 comments
Labels
issue: bug report needs triage

Comments

@phamik
Copy link

phamik commented Nov 1, 2021

react-dev-utils is using shell-quote 1.7.2 which has a vulnerability that has been fixed in 1.7.3
@kee0624
Copy link

kee0624 commented Jan 6, 2022
edited
Loading

Any news of this? As per synk said that it should upgrade the react-script to version 5, but it will break the application.

And also I also facing the vulnerability issue in set-value package as well.

@mrbusche
Copy link

mrbusche commented Jan 31, 2022
edited
Loading

Will you accept a pull request to fix this on versions 3 and 4? I'm trying to remediate the issue in Cypress library and moving to version 5 is a huge change for the application. I'm happy to make the change if you'll release a patch for versions 3 and 4.

Usage in 3.4.4 https://github.com/facebook/create-react-app/blob/v3.4.4/packages/react-dev-utils/package.json#L76
Usage in 4.0.3 https://github.com/facebook/create-react-app/blob/v4.0.3/packages/react-dev-utils/package.json#L76

@mrbusche mrbusche mentioned this issue Jan 31, 2022
Closed
@Sammi87
Copy link

Sammi87 commented Jun 27, 2022

What's the status of this?

@bh2smith
Copy link

bh2smith commented Jul 1, 2022
edited
Loading

What's the status of this?

From what I can tell, the dependency version was bumped in December 2021 (#11624). It looks like it has been propagated into this release

https://github.com/facebook/create-react-app/releases/tag/v5.0.1

Unfortunately this is a major version upgrade and may not be trivially compatible with your project.

In particular, I am finding this when naively trying to bump the version and build:

Module not found: Error: Can't resolve 'stream' in '/node_modules/@fast-csv/parse/build/src'
BREAKING CHANGE: webpack < 5 used to include polyfills for node.js core modules by default.
This is no longer the case. Verify if you need this module and configure a polyfill for it.

If you want to include a polyfill, you need to:
        - add a fallback 'resolve.fallback: { "stream": require.resolve("stream-browserify") }'
        - install 'stream-browserify'
If you don't want to include a polyfill, you can use an empty module like this:
        resolve.fallback: { "stream": false }


error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

@ihor-certn
Copy link

Any updates here?

@AbhaySBhosale
Copy link

Any updates on this vulnerability ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@mrbusche @Sammi87 @bh2smith @kee0624 @phamik @AbhaySBhosale @ihor-certn