Upgrade metro to v0.58.0 (fix inherited mem vulnerability)


Current dependency path contains os-locale v2.1.0, which contains mem v1.1.0

Dependency path:
│ Path  @react-native-community/cli > metro > yargs > os-locale > mem  

Results in:

https://npmjs.com/advisories/1084 

> Overview

> Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.

Solution:

metro v0.58.0 upgrades yargs from ^9.0.0 to ^14.2.0:
[
Diff metro v0.57.0 | metro v0.58.0](https://github.com/facebook/metro/commit/56e2c5713f5d5c75e6ddb78deeec904359982cf0#diff-223e98b09ed76095facb1ca8c90afd87L69)

yargs 14.2.0 removes os-locale from package.json:

[Diff yargs v9.0.1 | yargs v14.2.0](https://github.com/yargs/yargs/compare/v9.0.1...v14.2.0#diff-b9cfc7f2cdf78a7f4b91a753d10865a2): 



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Upgrade metro to v0.58.0 (fix inherited mem vulnerability) #922

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Upgrade metro to v0.58.0 (fix inherited mem vulnerability) #922

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions