Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade immer to 8.0.1 #4066

Closed
twekel opened this issue Feb 1, 2021 · 9 comments
Closed

Upgrade immer to 8.0.1 #4066

twekel opened this issue Feb 1, 2021 · 9 comments

Comments

@twekel
Copy link

twekel commented Feb 1, 2021

Do you want to request a feature or report a bug?

Security patch for dependency

Can the immer package be upgraded to 8.0.1 as per #4050?

The immer project recently fixed a Prototype Pollution vulnerability.

immerjs/immer#738

What's the current behavior?

packages/slate/package.json
packages/slate-history/package.json
both reference "immer": "^7.0.0"

Slate: 0.60.2
Browser: All
OS: All

What's the expected behavior?

packages/slate/package.json
packages/slate-history/package.json
both reference "immer": "^8.0.1"

as per #4050
@ryanj11
Copy link

ryanj11 commented Feb 19, 2021

Has there been any movement on this security patch? Are there plans for an update?

@OrionSeven
Copy link

Would like to see this get updated as well.

@netsgnut
Copy link

Linking to related issue #4050. There are also some discussions regarding the immer dependency.

@macrozone macrozone mentioned this issue Apr 8, 2021
Closed
@hugbubby
Copy link

@ianstormtaylor How has this not been fixed? This is an RCE issue

@netsgnut
Copy link

@hugbubby I think the #4050 PR has been merged (since May) and immer has been bumped since 0.63.0. We should close this.

See

slate/yarn.lock

Line 6568 in 39b0254

immer@^8.0.1:

@hanshs
Copy link

hanshs commented Jul 13, 2021

Hello! I am still receiving the vulnerability notice with "slate-history": "^0.62.0"

npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ slate-history                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ slate-history > immer                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1603                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@kenziebottoms
Copy link

Any updates on patching slate-history?

@jungRoit
Copy link

Any Updates on this?

@JulesPatry
Copy link

Any update on this? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@OrionSeven @netsgnut @ianstormtaylor @kenziebottoms @JulesPatry @twekel @hanshs @jungRoit @hugbubby @ryanj11