create-react-app icon indicating copy to clipboard operation
create-react-app copied to clipboard
verified publisher icon facebook

Critical vulnerability in shell-quote

Open phamik opened this issue 4 years ago • 5 comments

react-dev-utils is using shell-quote 1.7.2 which has a vulnerability that has been fixed in 1.7.3

phamik avatar Nov 01 '21 10:11 phamik

Any news of this? As per synk said that it should upgrade the react-script to version 5, but it will break the application.

And also I also facing the vulnerability issue in set-value package as well.

kee0624 avatar Jan 06 '22 09:01 kee0624

Will you accept a pull request to fix this on versions 3 and 4? I'm trying to remediate the issue in Cypress library and moving to version 5 is a huge change for the application. I'm happy to make the change if you'll release a patch for versions 3 and 4.

Usage in 3.4.4 https://github.com/facebook/create-react-app/blob/v3.4.4/packages/react-dev-utils/package.json#L76 Usage in 4.0.3 https://github.com/facebook/create-react-app/blob/v4.0.3/packages/react-dev-utils/package.json#L76

mrbusche avatar Jan 31 '22 23:01 mrbusche

What's the status of this?

Sammi87 avatar Jun 27 '22 13:06 Sammi87

What's the status of this?

From what I can tell, the dependency version was bumped in December 2021 (https://github.com/facebook/create-react-app/pull/11624). It looks like it has been propagated into this release

https://github.com/facebook/create-react-app/releases/tag/v5.0.1

Unfortunately this is a major version upgrade and may not be trivially compatible with your project.

In particular, I am finding this when naively trying to bump the version and build:

Module not found: Error: Can't resolve 'stream' in '/node_modules/@fast-csv/parse/build/src'
BREAKING CHANGE: webpack < 5 used to include polyfills for node.js core modules by default.
This is no longer the case. Verify if you need this module and configure a polyfill for it.

If you want to include a polyfill, you need to:
        - add a fallback 'resolve.fallback: { "stream": require.resolve("stream-browserify") }'
        - install 'stream-browserify'
If you don't want to include a polyfill, you can use an empty module like this:
        resolve.fallback: { "stream": false }


error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

bh2smith avatar Jul 01 '22 07:07 bh2smith

Any updates here?

ihor-certn avatar Oct 12 '22 14:10 ihor-certn

I ran into the same issue. And I fixed it using npm overrides feature.

https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

{
    ...
    "overrides": {
        "shell-quote": "1.7.4"
    }
}

This will force react-scripts and react-dev-utils to use [email protected].

Hope this helps!

JesusLoeraD avatar Oct 20 '22 15:10 JesusLoeraD

Any updates on this vulnerability ?

AbhaySBhosale avatar Nov 17 '22 16:11 AbhaySBhosale