Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing Origin Validation in react-scripts@1.x.x #5777

Closed
tanx opened this issue Nov 12, 2018 · 4 comments
Closed

Missing Origin Validation in react-scripts@1.x.x #5777

tanx opened this issue Nov 12, 2018 · 4 comments

Comments

@tanx
Copy link

tanx commented Nov 12, 2018

Any chance the security fix will get backported to webpack-dev-server@2.x.x? We're still on react-scripts@1.x.x yet which relies on this version range. Here is the respective issue in webpack-dev-server. Thanks for your consideration.

=== npm audit security report ===                        
                                                                                
# Run  npm install react-scripts@2.1.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server                           │
├───────────────┼─���────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
@tanx tanx mentioned this issue Nov 12, 2018
Closed
@iansu
Copy link
Contributor

iansu commented Nov 14, 2018

It sounds like they are not going to backport the fix. I'm closing this as I don't think there's anything we can do about it.

@iansu iansu closed this as completed Nov 14, 2018
@Timer
Copy link
Contributor

Timer commented Nov 15, 2018

"Steal a developer's source code" -- the source code is public anyways during deployment, this should really be a low/medium security report.

@ealexhaywood
Copy link

I am getting the same error using the latest version of CRA 2.1.2. My npm audit says the vulnerability is patched in webpack-dev-server@3.1.11 and react-scripts uses 3.1.9.

@ealexhaywood ealexhaywood mentioned this issue Dec 31, 2018
Closed
2 tasks
@armingjazi
Copy link

guys an update on this is appreciated! webpack-dev-server is not backporting the fix, one possible resolution is to update react to depend on newer version.

@lock lock bot locked and limited conversation to collaborators Jan 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@iansu @Timer @tanx @ealexhaywood @armingjazi