update immer to 8.0.1 to address vulnerability #10412
Conversation
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
|
Hi @wclem4! Thank you for your pull request and welcome to our community. Action RequiredIn order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you. ProcessIn order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA. Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with If you have received this in error or have any questions, please contact us at [email protected]. Thanks! |
|
Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks! |
|
The error in the pipeline seems unrelated to this |
CRA is still in the process of updating with the immer fix ( facebook/create-react-app#10412 ), so this uses a resolution override to use the newest immer. To reduce chance of compatibility issues, I also updated `react-dev-utils` to latest and confirmed that dev and prod builds both still work.
CRA is still in the process of updating with the immer fix ( facebook/create-react-app#10412 ), so this uses a resolution override to use the newest immer. To reduce chance of compatibility issues, I also updated `react-dev-utils` to latest and confirmed that dev and prod builds both still work.
|
is there an update on this? |
|
@iansu what do you think about this PR? Merging this PR + releasing a new version would help address many security vulnerability alerts for FB OSS projects because they use Docusaurus which uses this. |
|
Friendly ping for @ianschmitz, @iansu and @mrmckeb. Please upgrade immer, we really need it! |
|
Can someone please take a look at this? |
|
Just to be clear, there is (and never was) a real vulnerability here. It's a false positive, as it usually happens with build tools. @wclem4 Did you test this change and verify that the function that uses Immer still works? In particular, the TypeScript integration. This is a major version bump. |
|
We will be releasing 4.0.3 this weekend with this package upgrade and some other small fixes. |
|
hi there any news about the upcoming version? |
Could this be backported to 3.x? |
* Fix noFallthroughCasesInSwitch/jsx object is not extensible (facebook#9921) Co-authored-by: Konstantin Simeonov <[email protected]> * Add logo license to README * Remove trailing space in reportWebVitals.ts (facebook#10040) * docs: add React Testing Library as a library requiring jsdom (facebook#10052) Co-authored-by: Ian Schmitz <[email protected]> * Increase Workbox's maximumFileSizeToCacheInBytes (facebook#10048) * Create FUNDING.yml * replace inquirer with prompts (facebook#10083) - remove `react-dev-utils/inquirer` public import * Prepare 4.0.1 release * Prepare 4.0.1 release * Publish - [email protected] - [email protected] - [email protected] - [email protected] - [email protected] * chore: bump web-vital dependency version (facebook#10143) * chore: bump typescript version (facebook#10141) Co-authored-by: Ian Schmitz <[email protected]> * Add TypeScript 4.x as peerDependency to react-scripts(facebook#9964) * remove chalk from formatWebpackMessages (facebook#10198) * Upgrade @svgr/webpack to fix build error (facebook#10213) Co-authored-by: Ian Schmitz <[email protected]> * Improve vendor chunk names in development (facebook#9569) * Update postcss packages (facebook#10003) Co-authored-by: Ian Schmitz <[email protected]> * Recovered some integration tests (facebook#10091) * Upgrade sass-loader (facebook#9988) * Move ESLint cache file into node_modules (facebook#9977) Co-authored-by: Ian Schmitz <[email protected]> * Revert "Update postcss packages" (facebook#10216) This reverts commit 580ed5d. * Remove references to Node 8 (facebook#10214) * fix(react-scripts): add missing peer dependency react and update react-refresh-webpack-plugin (facebook#9872) * Update using-the-public-folder.md (facebook#10314) Some library --> Some libraries * docs: add missing override options for Jest config (facebook#9473) * Fix CI tests (facebook#10217) * appTsConfig immutability handling by immer (facebook#10027) Co-authored-by: mad-jose <[email protected]> * Add support for new BUILD_PATH advanced configuration variable (facebook#8986) * Add opt-out for eslint-webpack-plugin (facebook#10170) * Prepare 4.0.2 release * Publish - [email protected] - [email protected] - [email protected] - [email protected] - [email protected] - [email protected] * tests: update test case to match the description (facebook#10384) * Bump webpack-dev-server 3.11.0 -> 3.11.1 (facebook#10312) Resolves facebook#10084 security vulnerability in websocket-driver library version 0.5.6, imported transitively by sockjs * Upgrade eslint-webpack-plugin to fix opt-out flag (facebook#10590) * update immer to 8.0.1 to address vulnerability (facebook#10412) Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version. * Prepare 4.0.3 release * Update CHANGELOG * Publish - [email protected] - [email protected] - [email protected] Co-authored-by: Ryota Murakami <[email protected]> Co-authored-by: Konstantin Simeonov <[email protected]> Co-authored-by: Ian Sutherland <[email protected]> Co-authored-by: sho90 <[email protected]> Co-authored-by: Anyul Rivas <[email protected]> Co-authored-by: Ian Schmitz <[email protected]> Co-authored-by: Jeffrey Posnick <[email protected]> Co-authored-by: Evan Bacon <[email protected]> Co-authored-by: Sahil Purav <[email protected]> Co-authored-by: Hakjoon Sim <[email protected]> Co-authored-by: Chris Shepherd <[email protected]> Co-authored-by: Jason Williams <[email protected]> Co-authored-by: Jabran Rafique⚡️ <[email protected]> Co-authored-by: John Ruble <[email protected]> Co-authored-by: Morten N.O. Nørgaard Henriksen <[email protected]> Co-authored-by: Sergey Makarov <[email protected]> Co-authored-by: EhsanKhaki <[email protected]> Co-authored-by: Kristoffer K <[email protected]> Co-authored-by: Aviv Hadar <[email protected]> Co-authored-by: Tobias Büschel <[email protected]> Co-authored-by: mad-jose <[email protected]> Co-authored-by: mad-jose <[email protected]> Co-authored-by: Andrew Hyndman <[email protected]> Co-authored-by: Brody McKee <[email protected]> Co-authored-by: James George <[email protected]> Co-authored-by: Dion Woolley <[email protected]> Co-authored-by: Walker Clem <[email protected]>
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Resolves facebook#10411 Bumps immer version to 8.0.1 to address the prototype pollution vulnerability with the current 7.0.9 version.
Resolves #10411
Bumps immer version to 8.0.1 to address the prototype pollution
vulnerability with the current 7.0.9 version.