react-native-loading-spinner-overlay
react-native-loading-spinner-overlay copied to clipboard
[Snyk] Security upgrade react-native from 0.57.3 to 0.60.0
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.
Changes included in this PR
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- example/package.json
- example/yarn.lock
Vulnerabilities that will be fixed
With an upgrade:
Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity |
---|---|---|---|---|
![]() |
461/1000 Why? Recently disclosed, Has a fix available, CVSS 3.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-DEBUG-3227433 |
No | No Known Exploit |
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
Socket Security Pull Request Report
Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.
📜 Install scripts
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Package | Script field | Source |
---|---|---|
[email protected] (upgraded) | install |
example/package.json |
😵💫 Bin script confusion
This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack
Consider removing one of the conflicting packages. Packages should only export bin scripts with their name
Package | Bin script | Source |
---|---|---|
[email protected] (upgraded) | react-native |
example/package.json via [email protected] |
@cnakazawa/[email protected] (added) | watch |
example/package.json via [email protected], @react-native-community/[email protected], [email protected], [email protected], [email protected] |
[email protected] (added) | watch |
example/package.json via [email protected], [email protected], [email protected] |
🦀 Bin script shell injection
This package re-exports a well known shell command via an npm bin script. This is possibly a supply chain attack
Packages should not export bin scripts which conflict with well known shell commands
Package | Bin script | Source |
---|---|---|
@cnakazawa/[email protected] (added) | watch |
example/package.json via [email protected], @react-native-community/[email protected], [email protected], [email protected], [email protected] |
Pull request report summary
Issue | Status |
---|---|
Install scripts | ⚠️ 1 issue |
Native code | ✅ 0 issues |
Bin script confusion | ⚠️ 3 issues |
Bin script shell injection | ⚠️ 1 issue |
Unresolved require | ✅ 0 issues |
Invalid package.json | ✅ 0 issues |
HTTP dependency | ✅ 0 issues |
Git dependency | ✅ 0 issues |
Potential typo squat | ✅ 0 issues |
Known Malware | ✅ 0 issues |
Telemetry | ✅ 0 issues |
Protestware/Troll package | ✅ 0 issues |
Bot Commands
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore [email protected] [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore @cnakazawa/[email protected]
@SocketSecurity ignore [email protected]
⚠️ Please accept the latest app permissions to ensure bot commands work properly. Accept the new permissions here.
Powered by socket.dev