Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump webpack-dev-server 3.11.0 -> 3.11.1 #10312

Merged
merged 1 commit into from
Feb 18, 2021
Merged

Bump webpack-dev-server 3.11.0 -> 3.11.1 #10312

merged 1 commit into from
Feb 18, 2021
+1 −1

Conversation

Awarua-
Copy link
Contributor

@Awarua- Awarua- commented Dec 30, 2020

Resolves #10084 security vulnerability in websocket-driver library version 0.5.6, imported transitively by sockjs

@Awarua-
Bump webpack-dev-server 3.11.0 -> 3.11.1
8a061f3 
Resolves facebook#10084 security vulnerability in websocket-driver library version 0.5.6, imported transitively by sockjs
@facebook-github-bot
Copy link

Hi @Awarua-!

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file.

In order for us to review and merge your code, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

If you have received this in error or have any questions, please contact us at cla@fb.com. Thanks!

@facebook-github-bot
Copy link

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks!

@dudeisbrendan03
Copy link

dudeisbrendan03 commented Jan 8, 2021
edited
Loading

websocket-driver

websocket-driver@0.5.6 doesn't appear to exist from what I can see, 0.5.4 predates and 0.6.0 follows after.

websocket-driver@0.5.4 doesn't appear to use sockjs

Edit: Slightly confused as nothing they updated the deps of had an actual (reported) vuln, closest one which had a (now publically disclosed) vulnerability was sockjs versions <0.3.20.

Looks like something happened upstream in webpack-dev-server though

@Awarua-
Copy link
Contributor Author

Awarua- commented Jan 9, 2021

@dudeisbrendan03
So this is what I can tell in terms of dependency resolution
webpack-dev-server =3.11.0 -> imports sockjs =0.3.20 imports -> websocket-driver =0.6.5
webpack-dev-server =3.11.1 -> imports sockjs ^0.3.21 imports -> websocket-driver ^0.7.4

websocket-driver has vulnerability https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/websocket-driver/JS/NPM/lid-3225/summary

@dudeisbrendan03
Copy link

Ah, not sure what was running through my head when looking at webpack-dev

@gaearon gaearon merged commit 9722ef1 into facebook:master Feb 18, 2021
@gaearon gaearon mentioned this pull request Feb 18, 2021
Closed
maghost pushed a commit to GamersClub/create-react-app that referenced this pull request Feb 22, 2021
Merge pull request #1 from facebook/master
b36e690 
Bump webpack-dev-server 3.11.0 -> 3.11.1 (facebook#10312)
@drich7449 drich7449 mentioned this pull request Feb 23, 2021
Open
@hzhz hzhz mentioned this pull request Feb 23, 2021
Open
@sirinartk sirinartk mentioned this pull request Feb 23, 2021
Closed
blackarctic added a commit to blackarctic/create-react-app that referenced this pull request Apr 29, 2021
@blackarctic @ryota-murakami
@KonstantinSimeonov @iansu @sho-t @anyulled @ianschmitz @jeffposnick @EvanBacon @trainto @sheepsteak @jasonwilliams @jabranr @jrr @raix @maxsbelt @ehsankhfr @merceyz @Avivhdr @tobiasbueschel @josezone @mad-jose @ajhyndman @mrmckeb @jamesgeorge007 @Awarua- @wclem4
Align with react-scripts 4.0.3 (#17)
109f05d 
* Fix noFallthroughCasesInSwitch/jsx object is not extensible (facebook#9921)

Co-authored-by: Konstantin Simeonov <kon.simeonov@protonmail.com>

* Add logo license to README

* Remove trailing space in reportWebVitals.ts (facebook#10040)

* docs: add React Testing Library as a library requiring jsdom (facebook#10052)

Co-authored-by: Ian Schmitz <ianschmitz@gmail.com>

* Increase Workbox's maximumFileSizeToCacheInBytes (facebook#10048)

* Create FUNDING.yml

* replace inquirer with prompts (facebook#10083)

- remove `react-dev-utils/inquirer` public import

* Prepare 4.0.1 release

* Prepare 4.0.1 release

* Publish

 - cra-template-typescript@1.1.1
 - cra-template@1.1.1
 - create-react-app@4.0.1
 - react-dev-utils@11.0.1
 - react-scripts@4.0.1

* chore: bump web-vital dependency version (facebook#10143)

* chore: bump typescript version (facebook#10141)

Co-authored-by: Ian Schmitz <ianschmitz@gmail.com>

* Add TypeScript 4.x as peerDependency to react-scripts(facebook#9964)

* remove chalk from formatWebpackMessages (facebook#10198)

* Upgrade @svgr/webpack to fix build error (facebook#10213)

Co-authored-by: Ian Schmitz <ianschmitz@gmail.com>

* Improve vendor chunk names in development (facebook#9569)

* Update postcss packages (facebook#10003)

Co-authored-by: Ian Schmitz <ianschmitz@gmail.com>

* Recovered some integration tests (facebook#10091)

* Upgrade sass-loader (facebook#9988)

* Move ESLint cache file into node_modules (facebook#9977)

Co-authored-by: Ian Schmitz <ianschmitz@gmail.com>

* Revert "Update postcss packages" (facebook#10216)

This reverts commit 580ed5d.

* Remove references to Node 8 (facebook#10214)

* fix(react-scripts): add missing peer dependency react and update react-refresh-webpack-plugin (facebook#9872)

* Update using-the-public-folder.md (facebook#10314)

Some library --> Some libraries

* docs: add missing override options for Jest config (facebook#9473)

* Fix CI tests (facebook#10217)

* appTsConfig immutability handling by immer (facebook#10027)

Co-authored-by: mad-jose <joset@yeswearemad.com>

* Add support for new BUILD_PATH advanced configuration variable (facebook#8986)

* Add opt-out for eslint-webpack-plugin (facebook#10170)

* Prepare 4.0.2 release

* Publish

 - cra-template-typescript@1.1.2
 - cra-template@1.1.2
 - create-react-app@4.0.2
 - react-dev-utils@11.0.2
 - react-error-overlay@6.0.9
 - react-scripts@4.0.2

* tests: update test case to match the description (facebook#10384)

* Bump webpack-dev-server 3.11.0 -> 3.11.1 (facebook#10312)

Resolves facebook#10084 security vulnerability in websocket-driver library version 0.5.6, imported transitively by sockjs

* Upgrade eslint-webpack-plugin to fix opt-out flag (facebook#10590)

* update immer to 8.0.1 to address vulnerability (facebook#10412)

Resolves facebook#10411

Bumps immer version to 8.0.1 to address the prototype pollution
vulnerability with the current 7.0.9 version.

* Prepare 4.0.3 release

* Update CHANGELOG

* Publish

 - create-react-app@4.0.3
 - react-dev-utils@11.0.3
 - react-scripts@4.0.3

Co-authored-by: Ryota Murakami <dojce1048@gmail.com>
Co-authored-by: Konstantin Simeonov <kon.simeonov@protonmail.com>
Co-authored-by: Ian Sutherland <ian@iansutherland.ca>
Co-authored-by: sho90 <aznecosann@gmail.com>
Co-authored-by: Anyul Rivas <anyulled@gmail.com>
Co-authored-by: Ian Schmitz <ianschmitz@gmail.com>
Co-authored-by: Jeffrey Posnick <jeffy@google.com>
Co-authored-by: Evan Bacon <baconbrix@gmail.com>
Co-authored-by: Sahil Purav <sahil5684@gmail.com>
Co-authored-by: Hakjoon Sim <trainto@gmail.com>
Co-authored-by: Chris Shepherd <chris@chrisshepherd.me>
Co-authored-by: Jason Williams <936006+jasonwilliams@users.noreply.github.com>
Co-authored-by: Jabran Rafique⚡️ <jabranr@users.noreply.github.com>
Co-authored-by: John Ruble <johnruble@gmail.com>
Co-authored-by: Morten N.O. Nørgaard Henriksen <morten.n.o.henriksen@icloud.com>
Co-authored-by: Sergey Makarov <serega.s.makar@gmail.com>
Co-authored-by: EhsanKhaki <ehsankhfr@gmail.com>
Co-authored-by: Kristoffer K <merceyz@users.noreply.github.com>
Co-authored-by: Aviv Hadar <Avivhdr@gmail.com>
Co-authored-by: Tobias Büschel <13087421+tobiasbueschel@users.noreply.github.com>
Co-authored-by: mad-jose <44253495+josezone@users.noreply.github.com>
Co-authored-by: mad-jose <joset@yeswearemad.com>
Co-authored-by: Andrew Hyndman <ajhyndman@hotmail.com>
Co-authored-by: Brody McKee <mrmckeb@users.noreply.github.com>
Co-authored-by: James George <jamesgeorge998001@gmail.com>
Co-authored-by: Dion Woolley <woolley.dion@gmail.com>
Co-authored-by: Walker Clem <51654951+wclem4@users.noreply.github.com>
wombleton pushed a commit to AurorNZ/create-react-app that referenced this pull request Jun 1, 2021
@Awarua- @wombleton
Bump webpack-dev-server 3.11.0 -> 3.11.1 (facebook#10312)
ef380ca 
Resolves facebook#10084 security vulnerability in websocket-driver library version 0.5.6, imported transitively by sockjs
abhiisheek pushed a commit to abhiisheek/create-react-app that referenced this pull request May 19, 2023
@Awarua- @abhiisheek
Bump webpack-dev-server 3.11.0 -> 3.11.1 (facebook#10312)
0012b9d 
Resolves facebook#10084 security vulnerability in websocket-driver library version 0.5.6, imported transitively by sockjs
abhiisheek pushed a commit to abhiisheek/create-react-app that referenced this pull request May 24, 2023
@Awarua- @abhiisheek
Bump webpack-dev-server 3.11.0 -> 3.11.1 (facebook#10312)
f701810 
Resolves facebook#10084 security vulnerability in websocket-driver library version 0.5.6, imported transitively by sockjs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ianschmitz ianschmitz Awaiting requested review from ianschmitz

@iansu iansu Awaiting requested review from iansu

@mrmckeb mrmckeb Awaiting requested review from mrmckeb

@petetnt petetnt Awaiting requested review from petetnt

Assignees
No one assigned
Labels
CLA Signed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Websocket driver flagged by Veracode scan — can I disable it?
4 participants
@Awarua- @facebook-github-bot @dudeisbrendan03 @gaearon