react-native-code-push icon indicating copy to clipboard operation
react-native-code-push copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Critical npm vulnerability in `formidable`

Open dan-trewin opened this issue 10 months ago • 0 comments

Steps to Reproduce

A new critical npm vulnerability is present in npm dep formidable < 3.2.4: https://github.com/advisories/GHSA-8cp3-66vr-3r4c .

react-native-code-push uses a series of deps that depend on superagent versions that depend on formidable < 3.2.4

Really the issue is with code-push and appcenter-file-upload-client but this repo will likely need a release too

See:

Screenshot 2024-04-23 at 10 21 13 AM

Expected Behavior

code-push and appcenter-file-upload-client should be updated to use a newer version of superagent that doesn't depend on formidable < 3.2.4 then react-native-code-push should in turn be updated to use the corresponding new versions so that react-native-code-push doesn't contain a critical vuln

Actual Behavior

Current version of [email protected] contains a critical npm vuln

Final Notes

Just curious if your team is aware of this and working on a fix/when to expect it? Or if anyone has any workarounds in the meantime, those would be appreciated. Thanks, in advance!

dan-trewin avatar Apr 23 '24 15:04 dan-trewin