expo-cli
expo-cli copied to clipboard
Critical Vulnerability in @expo/webpack-config
Summary
yarn audit
shows https://www.npmjs.com/advisories/1005029 as a critical vulnerability, due to an old version of react-dev-utils
.
Environment
Expo CLI 5.1.2 environment info:
System:
OS: macOS 12.1
Shell: 5.8 - /bin/zsh
Binaries:
Node: 16.13.0 - ~/.nvm/versions/node/v16.13.0/bin/node
Yarn: 1.22.10 - /usr/local/bin/yarn
npm: 8.1.4 - /opt/homebrew/bin/npm
Managers:
CocoaPods: 1.10.2 - /usr/local/bin/pod
IDEs:
Xcode: /undefined - /usr/bin/xcodebuild
npmPackages:
react: ^17.0.2 => 17.0.2
react-dom: ^17.0.2 => 17.0.2
react-native-web: ^0.17.1 => 0.17.5
Expo Workflow: managed
Please specify your device/emulator/simulator platform, model and version
N/A
Error output
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ Prototype Pollution in immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=9.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @expo/next-adapter │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @expo/next-adapter > @expo/webpack-config > react-dev-utils │
│ │ > immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1005029 │
└───────────────┴──────────────────────────────────────────────────────────────┘
as well as
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ Prototype Pollution in simple-plist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ simple-plist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @expo/next-adapter │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @expo/next-adapter > @expo/webpack-config > @expo/config > │
│ │ @expo/config-plugins > xcode > simple-plist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1067309 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Reproducible demo or steps to reproduce from a blank project
yarn audit
There are more vulnerabilities today, see below
node-forge
───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Improper Verification of Cryptographic Signature in │
│ │ `node-forge` │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.3.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @expo/webpack-config │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @expo/webpack-config > webpack-dev-server > selfsigned > │
│ │ node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1070354 │
└───────────────┴──────────────────────────────────────────────────────────────┘
browserslist
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Regular Expression Denial of Service in browserslist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ browserslist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.16.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @expo/webpack-config │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @expo/webpack-config > react-dev-utils > browserslist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1067902 │
└───────────────┴──────────────────────────────────────────────────────────────┘
ansi-html
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Uncontrolled Resource Consumption in ansi-html │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-html │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.8 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @expo/webpack-config │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @expo/webpack-config > webpack-dev-server > ansi-html │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1070006 │
└───────────────┴──────────────────────────────────────────────────────────────┘
I think there are other outdated dependencies, this list is not exhaustive.
You should consider upgrading webpack
and webpack-dev-server
(high level vulnerability).
This issue prevents us from using this package, and it is necessary for us to build in web mode. : /
there are more vulnerabilities today
Hadn't seen this issue when posted https://github.com/expo/expo-cli/issues/4570#issuecomment-1315202232 So these issues going on for 6 months. It doesn't look like web on react native / expo is a safe place to be.
https://overreacted.io/npm-audit-broken-by-design/
Please explain to me how a tool you are running locally compromises the security of your app/web project.
@kbrandwijk , Yeah... "safe" also meaning a safe place to be investing time...which admittedly wasn't obvious.
I can't know what exactly webpack is doing with my files - what, if anything it is adding to the possibly tens of thousands of project files I'll end up with to generate the final build so I don't know without a whole lot of effort (that kind of negates the whole point of using the tools) IF what the tools are telling me are critical security issues are in fact going to be security issues. Sure, while I'm working on my machine locally etc. I can carry on .. and get to the next set of issues, but come the time for a release build if npm audit says I have security issues and I can't explain every one of them away then I have a problem.
Bottom line: I should not be seeing this output.
react-dev-utils is no longer used as of #3763