update immer to 8.0.1 to address vulnerability #10412
Conversation
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
|
Hi @wclem4! Thank you for your pull request and welcome to our community. Action RequiredIn order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you. ProcessIn order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA. Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with If you have received this in error or have any questions, please contact us at cla@fb.com. Thanks! |
|
Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks! |
|
The error in the pipeline seems unrelated to this |
CRA is still in the process of updating with the immer fix ( facebook/create-react-app#10412 ), so this uses a resolution override to use the newest immer. To reduce chance of compatibility issues, I also updated `react-dev-utils` to latest and confirmed that dev and prod builds both still work.
CRA is still in the process of updating with the immer fix ( facebook/create-react-app#10412 ), so this uses a resolution override to use the newest immer. To reduce chance of compatibility issues, I also updated `react-dev-utils` to latest and confirmed that dev and prod builds both still work.
|
is there an update on this? |
|
@iansu what do you think about this PR? Merging this PR + releasing a new version would help address many security vulnerability alerts for FB OSS projects because they use Docusaurus which uses this. |
|
Friendly ping for @ianschmitz, @iansu and @mrmckeb. Please upgrade immer, we really need it! |
|
Can someone please take a look at this? |
|
Just to be clear, there is (and never was) a real vulnerability here. It's a false positive, as it usually happens with build tools. @wclem4 Did you test this change and verify that the function that uses Immer still works? In particular, the TypeScript integration. This is a major version bump. |
|
We will be releasing 4.0.3 this weekend with this package upgrade and some other small fixes. |
|
hi there any news about the upcoming version? |
Could this be backported to 3.x? |
* Fix noFallthroughCasesInSwitch/jsx object is not extensible (facebook#9921) Co-authored-by: Konstantin Simeonov <kon.simeonov@protonmail.com> * Add logo license to README * Remove trailing space in reportWebVitals.ts (facebook#10040) * docs: add React Testing Library as a library requiring jsdom (facebook#10052) Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> * Increase Workbox's maximumFileSizeToCacheInBytes (facebook#10048) * Create FUNDING.yml * replace inquirer with prompts (facebook#10083) - remove `react-dev-utils/inquirer` public import * Prepare 4.0.1 release * Prepare 4.0.1 release * Publish - cra-template-typescript@1.1.1 - cra-template@1.1.1 - create-react-app@4.0.1 - react-dev-utils@11.0.1 - react-scripts@4.0.1 * chore: bump web-vital dependency version (facebook#10143) * chore: bump typescript version (facebook#10141) Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> * Add TypeScript 4.x as peerDependency to react-scripts(facebook#9964) * remove chalk from formatWebpackMessages (facebook#10198) * Upgrade @svgr/webpack to fix build error (facebook#10213) Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> * Improve vendor chunk names in development (facebook#9569) * Update postcss packages (facebook#10003) Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> * Recovered some integration tests (facebook#10091) * Upgrade sass-loader (facebook#9988) * Move ESLint cache file into node_modules (facebook#9977) Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> * Revert "Update postcss packages" (facebook#10216) This reverts commit 580ed5d. * Remove references to Node 8 (facebook#10214) * fix(react-scripts): add missing peer dependency react and update react-refresh-webpack-plugin (facebook#9872) * Update using-the-public-folder.md (facebook#10314) Some library --> Some libraries * docs: add missing override options for Jest config (facebook#9473) * Fix CI tests (facebook#10217) * appTsConfig immutability handling by immer (facebook#10027) Co-authored-by: mad-jose <joset@yeswearemad.com> * Add support for new BUILD_PATH advanced configuration variable (facebook#8986) * Add opt-out for eslint-webpack-plugin (facebook#10170) * Prepare 4.0.2 release * Publish - cra-template-typescript@1.1.2 - cra-template@1.1.2 - create-react-app@4.0.2 - react-dev-utils@11.0.2 - react-error-overlay@6.0.9 - react-scripts@4.0.2 * tests: update test case to match the description (facebook#10384) * Bump webpack-dev-server 3.11.0 -> 3.11.1 (facebook#10312) Resolves facebook#10084 security vulnerability in websocket-driver library version 0.5.6, imported transitively by sockjs * Upgrade eslint-webpack-plugin to fix opt-out flag (facebook#10590) * update immer to 8.0.1 to address vulnerability (facebook#10412) Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version. * Prepare 4.0.3 release * Update CHANGELOG * Publish - create-react-app@4.0.3 - react-dev-utils@11.0.3 - react-scripts@4.0.3 Co-authored-by: Ryota Murakami <dojce1048@gmail.com> Co-authored-by: Konstantin Simeonov <kon.simeonov@protonmail.com> Co-authored-by: Ian Sutherland <ian@iansutherland.ca> Co-authored-by: sho90 <aznecosann@gmail.com> Co-authored-by: Anyul Rivas <anyulled@gmail.com> Co-authored-by: Ian Schmitz <ianschmitz@gmail.com> Co-authored-by: Jeffrey Posnick <jeffy@google.com> Co-authored-by: Evan Bacon <baconbrix@gmail.com> Co-authored-by: Sahil Purav <sahil5684@gmail.com> Co-authored-by: Hakjoon Sim <trainto@gmail.com> Co-authored-by: Chris Shepherd <chris@chrisshepherd.me> Co-authored-by: Jason Williams <936006+jasonwilliams@users.noreply.github.com> Co-authored-by: Jabran Rafique⚡️ <jabranr@users.noreply.github.com> Co-authored-by: John Ruble <johnruble@gmail.com> Co-authored-by: Morten N.O. Nørgaard Henriksen <morten.n.o.henriksen@icloud.com> Co-authored-by: Sergey Makarov <serega.s.makar@gmail.com> Co-authored-by: EhsanKhaki <ehsankhfr@gmail.com> Co-authored-by: Kristoffer K <merceyz@users.noreply.github.com> Co-authored-by: Aviv Hadar <Avivhdr@gmail.com> Co-authored-by: Tobias Büschel <13087421+tobiasbueschel@users.noreply.github.com> Co-authored-by: mad-jose <44253495+josezone@users.noreply.github.com> Co-authored-by: mad-jose <joset@yeswearemad.com> Co-authored-by: Andrew Hyndman <ajhyndman@hotmail.com> Co-authored-by: Brody McKee <mrmckeb@users.noreply.github.com> Co-authored-by: James George <jamesgeorge998001@gmail.com> Co-authored-by: Dion Woolley <woolley.dion@gmail.com> Co-authored-by: Walker Clem <51654951+wclem4@users.noreply.github.com>
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Resolves #10411
Bumps immer version to 8.0.1 to address the prototype pollution
vulnerability with the current 7.0.9 version.