react-native icon indicating copy to clipboard operation
react-native copied to clipboard
verified publisher icon facebook

Npm install high severity issues react native 0.66

Open glairnarra31 opened this issue 4 years ago • 9 comments

Description

After I try to install a npm library I saw a heavy list of vulnerabilities which was mostly pointing to set-value issue https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541. I tried setting up a fresh rn project (0.66) and this is also occuring

Screen Shot 2021-10-04 at 6 14 53 PM

React Native version:

0.66 and 0.64 (current project I'm working)

Steps To Reproduce

  1. initialize project using npx react-native init AwesomeProject command
  2. run npm install after setup and then the vulnerabilities will appear Screen Shot 2021-10-04 at 6 11 44 PM

Expected Results

Minimal to none vulnerabilities I'm just curious if it is ok to ignore the vulnerabilies?

glairnarra31 avatar Oct 04 '21 10:10 glairnarra31

Some new critical ones today coming from lodash:

image

chazmcgrill avatar Oct 07 '21 08:10 chazmcgrill

Screen Shot 2021-10-10 at 1 43 02 PM Also seeing another moderate level vulnerability after a fresh install with the package chalk/ansi-regex

btheteach avatar Oct 10 '21 18:10 btheteach

Here is a summary of what I'm getting as of October 11 before I install any dependencies:

  • I ran npx react-native init demoApp

  • After it finished I ran npm install, but did not install any dependencies yet. This is just to be able to do npm audit before installing any dependencies.

  • I get this response: Screen Shot 2021-10-11 at 11 25 05 AM

  • Here is what I get when I run npm audit:

Screen Shot 2021-10-11 at 11 28 27 AM Screen Shot 2021-10-11 at 11 29 02 AM

Screen Shot 2021-10-11 at 11 29 23 AM Screen Shot 2021-10-11 at 11 29 50 AM

  • If I run npm audit fix it doesn't reduce the number of vulnerabilities.
  • If I run npm audit fix --force it reduces to 24 high severity vulnerabilities.
  • No matter how many times I run npm audit fix --force I can seem to get below 24 severe vulnerabilities and 8 moderate. Also, this creates breaking changes.
  • Running react-native init projectName results in having "react": "17.0.2", and "react-native": "0.66.0" listed in package.json.
  • Running npm audit fix --force several times to get to the lowest possible number of vulnerabilities seems to result in "react": "17.0.2", and "react-native": "^0.61.4", in package.json.

annieneedscoffee avatar Oct 11 '21 18:10 annieneedscoffee

Ok, it looks like a lot of what I posted earlier is an issue with npm, not an issue with react-native. If I just create an empty folder on my computer and run npm install in that folder I get:

Screen Shot 2021-10-11 at 1 08 15 PM

So I guess 10 of the issues marked as severe vulnerabilities in my previous post are specific to react-native.

If you go to https://nodejs.org/en/ it says "New security releases to be made available October 12th, 2021" so it seems like a lot of this could be resolved by updating node tomorrow.

annieneedscoffee avatar Oct 11 '21 20:10 annieneedscoffee

Now that those node security releases are available I updated node and I'm still getting the exact same number of vulnerability warnings, so I guess the security issues fixed in the new releases for node weren't any of the ones flagged by npm audit. These links seem relevant to what's going on:

https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/

https://overreacted.io/npm-audit-broken-by-design/

annieneedscoffee avatar Oct 12 '21 16:10 annieneedscoffee

yeah npm audit has nothing to do with Node security unless you're specifically working on a Node project. It has to do with the package's specified in the output. A lot of the current problems relate to versions of set-value and ansi-regex needing to be bumped.

scousino avatar Oct 26 '21 16:10 scousino

I believe this is now resolved with the release of cache-base 4.0.2 (https://github.com/jonschlinkert/cache-base/commit/afb51c80fb54682bae3a4b0ad458dbbcdbfd69f9)

jcoyne avatar Nov 29 '21 18:11 jcoyne

Can we get a fix on these HIGH SEVERITY vulnerabilities

Vulnerable module: shell-quote

Introduced through: @react-native-community/[email protected], @react-native-community/[email protected] and others Detailed paths Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected]

Regular Expression Denial of Service (ReDoS)

Vulnerable module: ansi-regex Introduced through: @react-native-community/[email protected], @react-native-community/[email protected] and others Detailed paths Introduced through: [email protected] › @react-native-community/[email protected][email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected][email protected][email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected][email protected][email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected][email protected][email protected][email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected][email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected][email protected][email protected][email protected]

Udith-Murali avatar Dec 30 '21 11:12 Udith-Murali

Can we get a fix on these HIGH SEVERITY vulnerabilities

Vulnerable module: shell-quote

Introduced through: @react-native-community/[email protected], @react-native-community/[email protected] and others Detailed paths Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected]

Regular Expression Denial of Service (ReDoS)

Vulnerable module: ansi-regex Introduced through: @react-native-community/[email protected], @react-native-community/[email protected] and others Detailed paths Introduced through: [email protected] › @react-native-community/[email protected][email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected][email protected][email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected][email protected][email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected][email protected][email protected][email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected][email protected][email protected] Introduced through: [email protected] › @react-native-community/[email protected] › @react-native-community/[email protected] › @react-native-community/[email protected][email protected][email protected][email protected][email protected]

Is there a fix that was merged / is being worked on regarding this vulnerability?

cannahum avatar Oct 19 '22 21:10 cannahum

Closing as this version of React Native is several years old. Please re-open a new issue against the latest stable if the issue persists

cortinico avatar Oct 27 '23 15:10 cortinico