-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
prototype pollution and remote code execution #65
Comments
Hello @fanhustler , I don't know if you already found a solution but as far as I know, you can continue to develop your app. There is no real big deal with those warnings. Just be careful when using react router, you might see some weird behaviour. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I am new to react as I am a WordPress Dev.. I have been following Michael Soriano's tutorial on how to build a WordPress theme with React, and when I got to the step to "install react-router-dom"- I got the following npm warn messages:
"npm WARN @babel/[email protected] requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
found 4 vulnerabilities (1 low, 3 high)
run
npm audit fix
to fix them, ornpm audit
for details"so, I ran:
"$ npm audit fix
npm WARN @babel/[email protected] requires a peer of @babel/core@^7.13.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
and got back this message
"fixed 0 of 4 vulnerabilities in 1698 scanned packages
4 vulnerabilities required manual review and could not be updated"
so, then I ran "npm audit"
"$ npm audit
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of @devloco/react-scripts-wptheme
Path @devloco/react-scripts-wptheme > webpack-dev-server > yargs
> yargs-parser
More info https://npmjs.com/advisories/1500
High Remote Code Execution
Package serialize-javascript
Patched in >=3.1.0
Dependency of @devloco/react-scripts-wptheme
Path @devloco/react-scripts-wptheme > terser-webpack-plugin >
serialize-javascript
More info https://npmjs.com/advisories/1548
High Prototype Pollution
Package object-path
Patched in >=0.11.5
Dependency of @devloco/react-scripts-wptheme
Path @devloco/react-scripts-wptheme > resolve-url-loader >
adjust-sourcemap-loader > object-path
More info https://npmjs.com/advisories/1573
High Prototype Pollution
Package immer
Patched in >=8.0.1
Dependency of @devloco/react-scripts-wptheme
Path @devloco/react-scripts-wptheme > react-dev-utils > immer
More info https://npmjs.com/advisories/1603
found 4 vulnerabilities (1 low, 3 high) in 1698 scanned packages
4 vulnerabilities require manual review. See the full report for details."
Like I said, I am new to React and am trying to learn how to develop my own react themes for wordpress, so I was delighted when I found your create-react-wptheme on Michael's blog!
I guess my questions are;
1.) Is this a major ordeal or can I just continue to develop a wp theme with this package and not worry about those warning messages?
OR
2.) How can I fix these dependency vulnerabilities on my own?
OR
3.) Would you be able to update your repository so that this is no longer an issue?
I am unsure what the correct way to go about fixing this issue, so any insight would be greatly appreciated!
Thank you for this package, as I am sure it would have taken me many more months to have figured out how to do this on my own.
Many thanks,
Jesse Giddens
The text was updated successfully, but these errors were encountered: