Vulnerable Dependency: macaddress #4479
Comments
|
But according to #3815 the newest version is What version should I install? |
|
From the vulnerability description you linked to:
If you look at the code for So there is no actual vulnerability you're being exposed to. Feel free to send us a PR that bumps the package version when downstream packages stop using the vulnerable one but there is no issue that we need to address on our side. |
|
|
|
It’s said here: https://nodesecurity.io/advisories/654
The // ...
var mac = typeof __webpack_require__ !== 'function' ? require('macaddress').one(macHandler) : null ;
// ...
function macHandler(error){
// ...
}It’s not based on user input and can’t be controlled by an attacker. So there is no vulnerability in this case. Does this explanation help? |
|
@gaearon you were really helpful ! |
|
Hello, just commenting to report that I had the same issue and npm advised me to run Which did the trick. |
|
Stuff will break if you start updating internal packages without ejecting. You’ve been warned :-) Going to lock this thread because there’s no actionable thing here for us. I’ll see if we can bump the dependency in 1.x branch. But again, there’s no real vulnerability here and you’re wasting effort trying to fix it. |
Hi, apologies if this isn't the right place for this.
Using create-react-app and running
npm audit(available as npm 6) returns a vulnerable dependency report with Critical tag:=== npm audit security report ===
Package: macaddress
Dependency of: react-scripts
Path: react-scripts > css-loader > cssnano > postcss-filter-plugins > uniqid > macaddress
More info: https://nodesecurity.io/advisories/654
The text was updated successfully, but these errors were encountered: