react-use icon indicating copy to clipboard operation
react-use copied to clipboard
verified publisher icon streamich

Security Issue

Open lokeshwarobuli opened this issue 1 year ago • 2 comments

I am using react-use 17.5.0 and recently a security issue has been opened https://cwe.mitre.org/data/definitions/1321.html and https://nvd.nist.gov/vuln/detail/CVE-2024-39008

If I do npm ls fast-loops, I get the below

Screenshot 2024-07-10 at 2 41 47 PM

lokeshwarobuli avatar Jul 10 '24 18:07 lokeshwarobuli

Also the dependabot says it's fixed in 1.1.4 Screenshot 2024-07-10 at 2 42 41 PM

lokeshwarobuli avatar Jul 10 '24 18:07 lokeshwarobuli

and [email protected] removed this dependency fast-loops last week https://github.com/robinweser/inline-style-prefixer/commit/4c1ffce41c08ebbc5e4e773f8de7149944270f1a and nano-css has opened PR for bumping version of [email protected] https://github.com/streamich/nano-css/pull/313

lkazberova avatar Jul 11 '24 10:07 lkazberova

I was also concerned at first. Then I realized, the dependency nano-css is only used in the hook useCss. With tools like webpack-bundle-analyzer, you can check if the hook useCss is actually bundled in your codebase.

bigaru avatar Jul 12 '24 16:07 bigaru

and [email protected] removed this dependency fast-loops last week robinweser/inline-style-prefixer@4c1ffce and nano-css has opened PR for bumping version of [email protected] streamich/nano-css#313

@lkazberova Any update on nano-css PR

VishnuNCS avatar Jul 16 '24 01:07 VishnuNCS

@VishnuNCS no updates, waiting for when @streamich will have a chance to merge it

@bigaru unfortunately it will not help with automatic security audit with this package :(

lkazberova avatar Jul 18 '24 11:07 lkazberova

I have bumped, both, nano-css and react-use. However, note that react-use was never affected by this vulnerability, the vulnerability is in CSS auto-prefixes plugin of nano-css, which is not used by react-use.

streamich avatar Jul 20 '24 13:07 streamich