Component Governance will be unable to detect the hermes dependency in RN

[jonthysell]

Problem Description

RNW does not actually depend on the published hermes NPM package (as of #10210), because technically neither does RN.

However, RN does release with hermes binaries within their NPM package, which Component Governance won't be able to detect.

So all RN (and therefore RNW apps) built by MSFT running internal compliance tools will be missing this dependency, which, as a JS engine, is ripe for future security vulnerabilities.

Steps To Reproduce

1. Create a new react-native app npx react-native init testapp
2. Look under node_modules/react-native/sdks, you'll see versions of hermes.

Expected Results

No response

CLI version

npx react-native --version

Environment

npx react-native info

Target Platform Version

No response

Target Device(s)

No response

Visual Studio Version

No response

Build Configuration

No response

Snack, code example, screenshot, or link to a repository

No response

[jonthysell]

One potential solution for RNW apps would be to generate the appropriate cgmanifest.json file on their behalf, but that limits the detection to RNW apps that run whatever code we create. Regular RN apps will escape detection.

[jonthysell]

This might not be an issue if, since hermes is bundled within RN, any vulnerabilities are ascribed to the affected RN release, rather than to hermes (which no longer has releases).

[jonthysell]

Moving this to the backlog as I don't think it's strictly an RNW problem, and if comes down to us having to fix for it, we can reassign to a release milestone at that time.