Vulnerability in react-dev-utils > ... > set-value

[alexarsh]

Describe the bug

There is the following dependencies tree:

└─┬ react-dev-utils@11.0.4
└─┬ fork-ts-checker-webpack-plugin@4.1.6
└─┬ micromatch@3.1.10
└─┬ snapdragon@0.8.2
└─┬ base@0.11.2
└─┬ cache-base@1.0.1
├── set-value@2.0.1
└─┬ union-value@1.0.1
└── set-value@2.0.1

When set-value@2.0.1 have the following vulnerability issues:
https://snyk.io/vuln/npm:set-value@2.0.1

Is there a chance that the dependencies can be updated in order to fix the issue?

Did you try recovering your dependencies?

Yes

Environment

current version of create-react-app: 4.0.3
running from /Users/aarshavs/.npm/_npx/97106/lib/node_modules/create-react-app

System:
OS: macOS 11.5
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Binaries:
Node: 14.18.0 - ~/.nvm/versions/node/v14.18.0/bin/node
Yarn: Not Found
npm: 6.14.15 - ~/.nvm/versions/node/v14.18.0/bin/npm
Browsers:
Chrome: 94.0.4606.71
Edge: Not Found
Firefox: 92.0.1
Safari: 14.1.2
npmPackages:
react: ^17.0.2 => 17.0.2
react-dom: ^17.0.2 => 17.0.2
react-scripts: Not Found
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

1. npm install react-dev-utils@11.0.4

Expected behavior

set-value version will be at least 4.0.1

Actual behavior

set-value version is 2.0.1

[guidocecilio]

This is happening for immer as a critical vulnerability:

[critical] Prototype Pollution in immer

• dependencies: react-scripts>react-dev-utils>immer

---

[high] Prototype Pollution in set-value

• dependencies: react-scripts>webpack>micromatch>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>webpack>micromatch>extglob>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>webpack>micromatch>extglob>expand-brackets>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>react-dev-utils>fork-ts-checker-webpack-plugin>micromatch>extglob>expand-brackets>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>babel-jest>@jest/transform>jest-haste-map>sane>micromatch>braces>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch>braces>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>sane>anymatch>micromatch>braces>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>sane>anymatch>micromatch>braces>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch>braces>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch>braces>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch>braces>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch>braces>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch>extglob>expand-brackets>snapdragon>base>cache-base>set-value
• dependencies: react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch>extglob>expand-brackets>snapdragon>base>cache-base>union-value>set-value

---

$ npm list immer  1 ↵  11118  12:49:44
project@1.0.0 /Users/xfile/dev/project
└─┬ react-scripts@4.0.3
└─┬ react-dev-utils@11.0.4
└── immer@8.0.1

Vulnerability DB / npm / immer@8.0.1
Prototype Pollution in immer: GHSA-33f9-j839-rf8h

[bradseefeld]

The issue is that react-dev-utils@11.0.4 pins the version of immer to 8.0.1. So although immer 9.0.6 fixes the vuln, there is no way for us to pull the latest immer in.

This PR removed the version pinning, but it does not look like a new build has been pushed to npm. Can you build and deploy a new version?

[jessejiang0214]

Hi Team,

Any update or ETA on this one? As it's blocking our build pipeline 😭

Thanks
Jesse

[jonnylangefeld]

Just to add some urgency to this, it's blocking ours as well.

[gdollard]

It's also blocking our pipeline, some update on this critical vulnerability would be great.

[bradseefeld]

This may not viable for most, but if you've already ejected your configs, we found it fairly easy to migrate off this lib entirely. The ejected scripts contain a lot of boilerplate for dealing with all sorts of various configurations, which you can remove whatever does not apply to your setup. Once we did that, we only had a handful of instances referencing this lib.

It seems that the react-dev-utils has chosen to create wrappers around third party libs, which makes it look like you're using more of their lib than you really are. Example: https://github.com/facebook/create-react-app/blob/main/packages/react-dev-utils/chalk.js We were able to safely point directly to the third party instead.

[tomc99]

As @bradseefeld asked, can you build and deploy a new version of the react-dev-utils package with the dependency pinning removed please?

[dmythro]

Well, critical audit issue is not resolved in 25 days and a lot of people rely on this. Sad news.

[IntuitiveInformatics]

Any update on this? This is holding up our pipeline as well. We don't want to push with critical vulnerabilities, especially prototype pollution...

[iampeter]

Could you please add some urgency to this?

[CsCherrYY]

Could you please address this vulnerability issue soon? It also blocks our pipeline.

[Fi1osof]

package.json already have "immer": "^9.0.6"

create-react-app/packages/react-dev-utils/package.json

Line 68 in f85b064

"immer": "^9.0.6",

but in npmjs still old version

.