Resolve immer security alert

[jessex]

What needs to be done? Why does it need to be done?
Resolve the HIGH severity immer security alert: https://github.com/Recidiviz/public-dashboard/security/dependabot/yarn.lock/immer/open

Additional context
This should be resolved within the week of January 25, 2021.

[jessex]

@macfarlandian new security alert for you. Since it's HIGH severity, we want to resolve it next week. Thanks!

[macfarlandian]

@jessex this alert seems to have resolved on its own? I'm not able to find what it was objecting to, nor do I see any recent version changes to that dependency in master, so maybe there was a blip in Dependabot or something?

[jessex]

You're right. Was there a recent commit that may have changed the dependency graph? If not, then the CVE itself must have been updated such that it is no longer a vulnerability for us. FWIW, it remains active in the supervision-success-component repository here: https://github.com/Recidiviz/supervision-success-component/security/dependabot/yarn.lock/immer/open

[macfarlandian]

oh thanks, that helps! Oddly, we still have the very same transitive dependency on the same version of immer, so I don't know why we aren't getting the alert here.

Over at the CRA repo they say there is no actual runtime vulnerability, which is good, but they also have a patch PR open. If that gets merged we ought to be able to upgrade react-scripts in any of our projects to resolve it.

[macfarlandian]

@jessex do we want to keep this ticket open while we wait for an upstream update, or is this a wontfix now that the security alert is no longer active?

[jessex]

With the security alert no longer active, we should close this and reopen this or a new issue if and when this becomes an active alert again. Thanks, Ian!