Skip to content

fix: add a version resolution for cookie in react native llama example app and use yarn as the package manager #7218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 6, 2024
Merged

fix: add a version resolution for cookie in react native llama example app and use yarn as the package manager #7218

merged 1 commit into from
Dec 6, 2024

Conversation

@hietalajulius
Copy link
Contributor

@hietalajulius hietalajulius commented Dec 6, 2024
edited
Loading

Summary

Addresses #7134 (comment)

TL;DR: remix-run/server-runtime (which is a downstream dependency of the example react native app), depends on cookie (version ^0.6.0) which has a vulnerability prior to 0.7.0, this PR adds a resolution to >=0.7.0. Also switches to using yarn instead of npm.

Test plan

before resolution

$ yarn audit
yarn audit v1.22.22
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ cookie accepts cookie name, path, and domain with out of     │
│               │ bounds characters                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ cookie                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.7.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ expo-router                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ expo-router > @expo/server > @remix-run/node >               │
│               │ @remix-run/server-runtime > cookie                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1099846                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1067
Severity: 1 Low
✨  Done in 0.47s.

after resolution

$ yarn audit
yarn audit v1.22.22
0 vulnerabilities found - Packages audited: 1067
✨  Done in 0.43s.

@pytorch-bot
Copy link

pytorch-bot bot commented Dec 6, 2024
edited
Loading

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/7218

Note: Links to docs will display an error until the docs builds have been completed.

✅ No Failures

As of commit 70b211e with merge base 63238ab (image):
💚 Looks good so far! There are no failures yet. 💚

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@facebook-github-bot facebook-github-bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Dec 6, 2024
@hietalajulius
Copy link
Contributor Author

hietalajulius commented Dec 6, 2024

@pytorchbot label "topic: not user facing"

@hietalajulius hietalajulius mentioned this pull request Dec 6, 2024
Merged
@hietalajulius hietalajulius changed the title fix: add a version resolution for cookie in react native and use yarn as the package manager fix: add a version resolution for cookie in react native llama example app and use yarn as the package manager Dec 6, 2024
@facebook-github-bot
Copy link
Contributor

facebook-github-bot commented Dec 6, 2024

@shoumikhin has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@facebook-github-bot facebook-github-bot merged commit 00afd5e into pytorch:main Dec 6, 2024
42 of 44 checks passed
@kirklandsign
Copy link
Contributor

kirklandsign commented Jan 22, 2025

Hi @hietalajulius could you please update all packages to latest? Specifically, undici in deps to 6.21.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shoumikhin shoumikhin shoumikhin approved these changes

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. topic: not user facing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hietalajulius @facebook-github-bot @kirklandsign @shoumikhin