`react-dev-utils`: Prototype Pollution in Immer

[SalGnt-mxm]

Describe the bug

The react-dev-utils package uses a vulnerable version (v8.0.4) of Immer.

The fix, commit fa671e5, is part of the v9.0.6 release.
The react-dev-utils package should use this specific version of Immer.

GitHub CVE

• Prototype Pollution in immer (critical severity): CVE-2021-3757.
• Prototype Pollution in immer (high severity): CVE-2021-23436.

[bpod]

I'm seeing this issue flagged as a high vulnerability in our pipeline scan as well. However, I don't think this version of immer would ever be included in a final build since its only used by react-scripts.

Either way, Would love to see this addressed, thank you!

[theKashey]

The problem got multiplied by Storybook and potentially more projects which use react-dev-utils

[DaisyyKM]

Vulnerability is still there because we are not getting the updated version
Linking my comment from PR #11364 (comment)

[furdzik]

Any update on this?

In my project also react-dev-utils@11.0.4 has immer as dependency but still in version 8.0.1.

[ziaulrehman40]

This is marked critical, should be fixed on priority