react-dev-utils: Security vulnerability with immer 7.0.9

[binary64]

Describe the bug

Security vulnerability with immer 7.0.9

https://www.npmjs.com/advisories/1603

Actual behavior

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > react-dev-utils > immer                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1603                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

Reproducible demo

yarn install @storybook/react && yarn audit

[HartS]

npm audit shows:

[hartsimha:~/myproject/ main(+2836/-4525)* ± npm audit

# npm audit report

immer  <8.0.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1603
fix available via `npm audit fix --force`
Will install react-scripts@2.0.5, which is a breaking change
node_modules/immer
  react-dev-utils  >=6.0.6-next.9b4009d7
  Depends on vulnerable versions of immer
  node_modules/react-dev-utils
    react-scripts  >=2.0.6-next.9b4009d7
    Depends on vulnerable versions of react-dev-utils
    node_modules/react-scripts

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[Aleksei-Pankratev-EPAM]

I wonder if there is any reason for not specifying the dependency as "greater or equal" (^x.y.z)? That would prevent this issue from the start.

[Pistaco]

i have the same issue, this is a globlal problem? or it is a particular one?

[Pistaco]

anyways, its a serious thing?

[joshkel]

@Aleksei-Pankratev-EPAM , from what I understand, it's create-react-app's general policy to pin all dependencies to exact versions. That helps make sure that everything keeps working, but (as you said), it has the disadvantage of making it harder to get minor package upgrades for security fixes. In this case, a caret range wouldn't have helped; create-react-app uses Immer 7.0.9, and the Immer bug was fixed in 8.0.1, which a caret range wouldn't match (due to potential backward-incompatible changes).

@Pistaco , create-react-app isn't affected by this particular security issue. So, although there are big advantages to keeping any automated security scanners happy, it's not an issue if you're not using Immer yourself.

[stormmuller]

Everyone watching their npm audit build steps burn 😄

Also, there is no way to ignore certain packages or vulnerabilities. Except for --production or --only=prod. However react-scripts should be a production dependency AFAIK?

So really the only way to keep our CI pipelines happy is to disable audits for now 😞

[stormmuller]

#10412 (comment)

[gaearon]

This is a duplicate of #10411.

Please see the discussion there. In particular, #10411 (comment).