Skip to content
This repository has been archived by the owner on Jun 15, 2022. It is now read-only.

[Snyk] Security upgrade react-native from 0.10.1 to 0.63.0 #6

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade react-native from 0.10.1 to 0.63.0 #6

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • SearchBarExample/package.json
    • SearchBarExample/.snyk

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 No Proof of Concept
high severity 681/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.2		 Command Injection
SNYK-JS-LODASH-1040724		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-450202		 No Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
SNYK-JS-LODASH-567746		 No Proof of Concept
critical severity 704/1000
Why? Has a fix available, CVSS 9.8		 Prototype Pollution
SNYK-JS-LODASH-590103		 No No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-608086		 No Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-LODASH-73638		 No Proof of Concept
medium severity 541/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-73639		 No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-MERGE-1040469		 No No Known Exploit
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3		 Prototype Pollution
SNYK-JS-MERGE-1042987		 No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-1019388		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-UGLIFYJS-1727251		 No No Known Exploit
medium severity 596/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.5		 Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984		 No Proof of Concept
medium severity 586/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835		 No Proof of Concept
low severity 506/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:braces:20180219		 No Proof of Concept
medium severity 529/1000
Why? Has a fix available, CVSS 6.3		 Non-Constant Time String Comparison
npm:cookie-signature:20160804		 No No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:fresh:20170908		 No No Known Exploit
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:hoek:20180212		 No Proof of Concept
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 No Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Regular Expression Denial of Service (ReDoS)
npm:mime:20170907		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
npm:minimatch:20160620		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
npm:ms:20151024		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
npm:qs:20140806		 No No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Denial of Service (DoS)
npm:qs:20140806-1		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Prototype Override Protection Bypass
npm:qs:20170213		 No No Known Exploit
medium severity 429/1000
Why? Has a fix available, CVSS 4.3		 Directory Traversal
npm:send:20140912		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Root Path Disclosure
npm:send:20151103		 No No Known Exploit
high severity 629/1000
Why? Has a fix available, CVSS 8.3		 Improper minification of non-boolean comparisons
npm:uglify-js:20150824		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
npm:uglify-js:20151024		 No No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Remote Memory Exposure
npm:ws:20160104		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
npm:ws:20160624		 No No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3		 Insecure Randomness
npm:ws:20160920		 No No Known Exploit
high severity 761/1000
Why? Mature exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
npm:ws:20171108		 No Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: react-native The new version differs by 250 commits.
  • 4f89733 [0.63.0] Bump version numbers
  • 6ed1b39 Fix debugging on android for 0.63 (#29204)
  • 0225f18 Changed iOS LaunchScreen from xib to storyboard (#28239)
  • 0b6fad6 Pressable: Add Support for Inspector Overlay
  • fb429a5 iOS: Fix Animated image crash when CADisplayLink target in RCTWeakProxy is nil
  • 262a3f6 Pressable: Rename pressRectOffset to pressRetentionOffset to be consistent with other touchables
  • 29639e7 Enable with CocoaPods `:configuration` (#28796)
  • 27ccc60 Upgrade Flipper to 0.37.0 (#28545)
  • 48413a4 [0.63.0-rc.1] Bump version numbers
  • 208bd05 Bump @ react-native-community/eslint-config in new app template
  • 574447a Revert D21064653: Remove the post install step
  • 5e51e54 Update react.gradle (#28776)
  • b645f23 Fix folly::dynamic crash when attaching a debugger to Hermes
  • 18f1c69 Allow iOS PlatformColor strings to be ObjC or Swift UIColor selectors (#28703)
  • 87f5b8b Remove the post install step (#28651)
  • ff1558d Upgrade Hermes dependency to 0.5.0
  • e2dd18d [0.63.0-rc.0] Bump version numbers
  • 787a772 (eslint-config) update community eslint plugin in eslint config (#28642)
  • 7acd667 chore: remove Kotlin version from the default template
  • 5f7b44c fix: do not throw on missing `cliPath`, use the default value (#28625)
  • b191809 chore: update CLI
  • 696fb55 Update default Podfile to not depend on a path (#28572)
  • c7f2595 Migrate setNativeProps to commands in iOS text input
  • 00c4d95 Implement event count for TextInput

See the full diff

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
medium severity 636/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3		 Prototype Pollution
npm:lodash:20180130		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@snyk-bot
fix: SearchBarExample/package.json & SearchBarExample/.snyk to reduce…
073bfb1 
… vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
- https://snyk.io/vuln/SNYK-JS-LODASH-590103
- https://snyk.io/vuln/SNYK-JS-LODASH-608086
- https://snyk.io/vuln/SNYK-JS-LODASH-73638
- https://snyk.io/vuln/SNYK-JS-LODASH-73639
- https://snyk.io/vuln/SNYK-JS-MERGE-1040469
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-1019388
- https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://snyk.io/vuln/SNYK-JS-WS-1296835
- https://snyk.io/vuln/npm:braces:20180219
- https://snyk.io/vuln/npm:cookie-signature:20160804
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:fresh:20170908
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:mime:20170907
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:ms:20151024
- https://snyk.io/vuln/npm:qs:20140806
- https://snyk.io/vuln/npm:qs:20140806-1
- https://snyk.io/vuln/npm:qs:20170213
- https://snyk.io/vuln/npm:send:20140912
- https://snyk.io/vuln/npm:send:20151103
- https://snyk.io/vuln/npm:uglify-js:20150824
- https://snyk.io/vuln/npm:uglify-js:20151024
- https://snyk.io/vuln/npm:ws:20160104
- https://snyk.io/vuln/npm:ws:20160624
- https://snyk.io/vuln/npm:ws:20160920
- https://snyk.io/vuln/npm:ws:20171108


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:lodash:20180130
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@snyk-bot