Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix vulnerabilities #58

Closed
1 of 2 tasks
mattx433 opened this issue May 17, 2018 · 1 comment
Closed
1 of 2 tasks

Fix vulnerabilities #58

mattx433 opened this issue May 17, 2018 · 1 comment
Labels
lowpriority

Comments

@mattx433
Copy link

mattx433 commented May 17, 2018
edited
Loading

npm audit shows that there are 11 vulnerabilities in SCRIPT-8's packages. Upgrading react-scripts to 1.1.4 fixes most of them: npm install react-scripts@1.1.4
After upgrading, there are only 2:
Critical - macaddress - Command Injection Vulnerability - Node Security advisory link
Moderate - base64url - Out-of-bounds Read Vulnerability - Node Security advisory link
gh-pages requires base64url.
The path for macaddress:

react-scripts > css-loader > cssnano >postcss-filter-plugins > uniqid > macaddress

base64url can also be fixed by upgrading to >= 3.0.0
However, macaddress hasn't got any patch it's vulnerability.

  • Fix the vulnerability in macaddress
  • Fix the vulnerability in base64url
@gabrielflorit gabrielflorit added the bug Something isn't working label May 20, 2018
@gabrielflorit
Copy link
Owner

Thanks for this.

According to facebook, macaddress is not being used in a vulnerable way here: facebook/create-react-app#4479.

gh-pages has a base64url PR to upgrade to 3.0.0. I'll keep this open to track the PR.

@gabrielflorit gabrielflorit removed the bug Something isn't working label May 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lowpriority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gabrielflorit @mattx433