Comments (21)
The ip package last update was 2 years ago.
https://www.npmjs.com/package/ip
My problem is with puppeteer instead of react, but same issue: will really ip package be updated? I think it is not maintained anymore...
from cli.
FYI there is now a 1.1.9 and 2.0.1.
However the CVE needs to be updated to allow the 1.1.9 release to be seen as a valid fix:
github/advisory-database#3553
from cli.
yeah .. I just wanted to point out that this release now exists and that people might still see dependabot etc complain until the CVE is updated.
from cli.
anyone find any workaround pls share here, thanks!
there's no workaround, the library needs to be either patched or replaced
from cli.
FYI, the only affected command is profile-hermes
when producing source maps. If you're not using it on a server (e.g. your CI), you're safe to ignore this and wait for us to patch it once we have a proper solution. If you are using it however, please disable it temporarily.
from cli.
@azmainamin it should be enough to regenerate the lockfile entry for this package in your project, now that github/advisory-database#3553 is merged
from cli.
Thanks, i'm facing the same issue.
from cli.
hey @taylorjdawson, thanks for reporting! I've just created #2295 bumping ip
package 👍
from cli.
@szymonrybczak does that fix it though? The issue I believe is with the latest version of the ip
package.
from cli.
@taylorjdawson ah, right. I wrongly looked and I thought it was <1.1.18
, let's see if maintainers will release a patch fix.
from cli.
so im not only one who faced that problem :/
anyone found an fix to this? i need to complete the tasks real bad lol
from cli.
seems like this upstreams to the latest version of react-native
from cli.
Hey, I'm facing the same issue, Should I downgrade my @react-native-community/cli package version to a certain one so it will not be affected by the latest upgrade?
this is the 'npm audit' result:
npm audit report
ip <=1.1.8
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - GHSA-78xj-cgh5-2h22
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/ip
@react-native-community/cli-doctor *
Depends on vulnerable versions of ip
node_modules/@react-native-community/cli-doctor
@react-native-community/cli >=4.13.0
Depends on vulnerable versions of @react-native-community/cli-doctor
Depends on vulnerable versions of @react-native-community/cli-hermes
node_modules/@react-native-community/cli
react-native <=0.0.0-ffdfbbec0 || >=0.69.0-rc.0
Depends on vulnerable versions of @react-native-community/cli
node_modules/react-native
react-native-pie-chart >=3.0.0
Depends on vulnerable versions of react-native
node_modules/react-native-pie-chart
@react-native-community/cli-hermes *
Depends on vulnerable versions of ip
node_modules/@react-native-community/cli-hermes
thank you in advance
from cli.
anyone find any workaround pls share here, thanks!
from cli.
same error here
from cli.
The PR is opened here and should probably be merged soon.
from cli.
The PR is opened here and should probably be merged soon.
I wouldn't count on it to be merged soon... I've seen a lot of depended libraries moving away from ip
lib. I think @taylorjdawson proposal is very sound
from cli.
anyone find any workaround pls share here, thanks!
there's no workaround, the library needs to be either patched or replaced
i have tried patched the ip library. But still not work for me
from cli.
1.1.9 is within the semver range so refreshing the lock file should be enough. Additionally we merged #2299 (which drops the dependency on ip
offering an alternative) which we intend to backport to RN 0.72 and 0.71 – although with the fix being within the semver range, I'm not sure if that's gonna be necessary and will leave that to the RN release crew to decide.
from cli.
Thanks for doing that @lsmith77
from cli.
If using React Native version 0.68.2. How can we get the patch/fix?
from cli.
Related Issues (20)
- How to solve "Cannot find module 'react-native/cli" correctly? HOT 4
- Support for javascript template when initialize latest React Native HOT 3
- How can I get cli-platform-ios to recognize my M1-based Mac as a Destination/target-device? HOT 1
- Could not create an empty Git repository, see debug logs with --verbose HOT 14
- Unable to start server in new window when using yarn with pnpm linker HOT 2
- FAILURE: Build failed with an exception.
- FAILURE: Build failed with an exception. Script '/home/xyz/Documents/CQ/projectName/node_modules/@react-native-community/cli-platform-android/native_modules.gradle' line: 375 HOT 1
- Implement support for Android activity aliases
- Not possible to specify macCatalyst UDID as run target
- Passing registry for different package managers HOT 5
- Health Check Plugin isn't executed when running `react-native doctor` HOT 2
- react-native run-android: Failed to install the app on the device. Error: Could not find the correct install APK file.
- How to build android release but with JS dev flag enabled? HOT 2
- On Android, app isn't opened automatically if applicationId is changed HOT 1
- API not working in React native android but working in ios. HOT 1
- Can CRNA change name inside project like NPX react-native init? HOT 1
- ✖ Could not create an empty Git repository, see debug logs with --verbose HOT 2
- Execution failed for task ':app:buildCMakeDebug[x86]' HOT 4
- Stuck at info JS server already running on Linux 22.04 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli.