Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

prototype pollution and remote code execution #65

Open
fanhustler opened this issue Apr 8, 2021 · 1 comment
Open

prototype pollution and remote code execution #65

fanhustler opened this issue Apr 8, 2021 · 1 comment

Comments

@fanhustler
Copy link

Hi, I am new to react as I am a WordPress Dev.. I have been following Michael Soriano's tutorial on how to build a WordPress theme with React, and when I got to the step to "install react-router-dom"- I got the following npm warn messages:

"npm WARN @babel/[email protected] requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.

found 4 vulnerabilities (1 low, 3 high)
run npm audit fix to fix them, or npm audit for details"

so, I ran:

"$ npm audit fix
npm WARN @babel/[email protected] requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.

and got back this message

"fixed 0 of 4 vulnerabilities in 1698 scanned packages
4 vulnerabilities required manual review and could not be updated"

so, then I ran "npm audit"

"$ npm audit

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of @devloco/react-scripts-wptheme

Path @devloco/react-scripts-wptheme > webpack-dev-server > yargs
> yargs-parser

More info https://npmjs.com/advisories/1500

High Remote Code Execution

Package serialize-javascript

Patched in >=3.1.0

Dependency of @devloco/react-scripts-wptheme

Path @devloco/react-scripts-wptheme > terser-webpack-plugin >
serialize-javascript

More info https://npmjs.com/advisories/1548

High Prototype Pollution

Package object-path

Patched in >=0.11.5

Dependency of @devloco/react-scripts-wptheme

Path @devloco/react-scripts-wptheme > resolve-url-loader >
adjust-sourcemap-loader > object-path

More info https://npmjs.com/advisories/1573

High Prototype Pollution

Package immer

Patched in >=8.0.1

Dependency of @devloco/react-scripts-wptheme

Path @devloco/react-scripts-wptheme > react-dev-utils > immer

More info https://npmjs.com/advisories/1603

found 4 vulnerabilities (1 low, 3 high) in 1698 scanned packages
4 vulnerabilities require manual review. See the full report for details."

Like I said, I am new to React and am trying to learn how to develop my own react themes for wordpress, so I was delighted when I found your create-react-wptheme on Michael's blog!

I guess my questions are;

1.) Is this a major ordeal or can I just continue to develop a wp theme with this package and not worry about those warning messages?

OR

2.) How can I fix these dependency vulnerabilities on my own?

OR

3.) Would you be able to update your repository so that this is no longer an issue?

I am unsure what the correct way to go about fixing this issue, so any insight would be greatly appreciated!

Thank you for this package, as I am sure it would have taken me many more months to have figured out how to do this on my own.

Many thanks,

Jesse Giddens

@believelody
Copy link

Hello @fanhustler , I don't know if you already found a solution but as far as I know, you can continue to develop your app. There is no real big deal with those warnings. Just be careful when using react router, you might see some weird behaviour.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants