Cli: Is the npm package up to date on npmjs.com? (ws dependency has security issue)
Ask your Question
Hi,
is the npm package up to date on npmjs.com?
there is old dependencies including "ws" which is very old and has security issues.
I tried installing this with react-native version 0.60.4
and it installs this as child dependency. I've tried removing package-lock.json file and installing again, but it's still same version. However when I look at the react-native-community/cli github page package.json it doesn't have that dependency.
package.json
{
"name": "fridge",
"version": "0.0.1",
"private": true,
"scripts": {
"start": "react-native start",
"test": "jest",
"lint": "eslint ."
},
"dependencies": {
"firebase": "^6.3.4",
"moment": "^2.24.0",
"react": "^16.8.6",
"react-native": "^0.60.4",
"react-native-camera": "^3.0.1",
"react-native-datepicker": "^1.7.2",
"react-native-device-info": "^2.3.2",
"react-native-router-flux": "^4.0.6",
"react-redux": "^7.1.0",
"redux": "^4.0.4",
"redux-thunk": "^2.3.0"
},
"devDependencies": {
"@babel/core": "7.5.5",
"@babel/runtime": "7.5.5",
"@react-native-community/eslint-config": "0.0.5",
"babel-jest": "24.8.0",
"eslint": "6.1.0",
"jest": "24.8.0",
"metro-react-native-babel-preset": "0.55.0",
"react-test-renderer": "16.8.6"
},
"jest": {
"preset": "react-native"
}
}
package-lock.json
{
"name": "fridge",
"version": "0.0.1",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
...
"react-native": {
"version": "0.60.4",
"resolved": "https://registry.npmjs.org/react-native/-/react-native-0.60.4.tgz",
"integrity": "sha512-WE41lbGQjnzM9srIFtMDtMJkQAvk95iZwuFvAxl68s80bkYa7Ou9sGFHpeYIV6cY8yHtheCSo5q6YMxhdfkdOw==",
"requires": {
"@babel/runtime": "^7.0.0",
"@react-native-community/cli": "^2.0.1",
"@react-native-community/cli-platform-android": "^2.0.1",
"@react-native-community/cli-platform-ios": "^2.0.1",
"abort-controller": "^3.0.0",
"art": "^0.10.0",
"base64-js": "^1.1.2",
"connect": "^3.6.5",
"create-react-class": "^15.6.3",
"escape-string-regexp": "^1.0.5",
"event-target-shim": "^5.0.1",
"fbjs": "^1.0.0",
"fbjs-scripts": "^1.1.0",
"hermesvm": "^0.1.0",
"invariant": "^2.2.4",
"jsc-android": "245459.0.0",
"metro-babel-register": "0.54.1",
"metro-react-native-babel-transformer": "0.54.1",
"metro-source-map": "^0.55.0",
"nullthrows": "^1.1.0",
"pretty-format": "^24.7.0",
"promise": "^7.1.1",
"prop-types": "^15.7.2",
"react-devtools-core": "^3.6.1",
"regenerator-runtime": "^0.13.2",
"scheduler": "0.14.0",
"stacktrace-parser": "^0.1.3",
"whatwg-fetch": "^3.0.0"
},
"dependencies": {
"@react-native-community/cli": {
"version": "2.8.3",
"resolved": "https://registry.npmjs.org/@react-native-community/cli/-/cli-2.8.3.tgz",
"integrity": "sha512-khlS6slD6fsIv8R6L0bbQvK2PQ/UJytmh8/XEZ835bDwgbn6U90Yqrf299r6JxKk2/tyckRu6QimQNAkEQxEHg==",
"requires": {
"@hapi/joi": "^15.0.3",
"@react-native-community/cli-platform-android": "^2.8.3",
"@react-native-community/cli-platform-ios": "^2.8.3",
"@react-native-community/cli-tools": "^2.8.3",
"chalk": "^2.4.2",
"commander": "^2.19.0",
"compression": "^1.7.1",
"connect": "^3.6.5",
"cosmiconfig": "^5.1.0",
"deepmerge": "^3.2.0",
"envinfo": "^7.1.0",
"errorhandler": "^1.5.0",
"execa": "^1.0.0",
"fs-extra": "^7.0.1",
"glob": "^7.1.1",
"graceful-fs": "^4.1.3",
"inquirer": "^3.0.6",
"lodash": "^4.17.5",
"metro": "^0.54.1",
"metro-config": "^0.54.1",
"metro-core": "^0.54.1",
"metro-react-native-babel-transformer": "^0.54.1",
"minimist": "^1.2.0",
"mkdirp": "^0.5.1",
"morgan": "^1.9.0",
"node-notifier": "^5.2.1",
"open": "^6.2.0",
"ora": "^3.4.0",
"plist": "^3.0.0",
"semver": "^5.0.3",
"serve-static": "^1.13.1",
"shell-quote": "1.6.1",
"ws": "^1.1.0"
}
},
...
}
},
...
}
question
Crare
All 5 comments
The root package.json is private and not published, used as a monorepo setup. Published packages live here: https://github.com/react-native-community/cli/tree/master/packages.
There's a bunch of unpublished commits right now, but we try to release often.
thymikee
on 6 Aug 2019
👍1
@thymikee The underlying issue here is valid I think. I just saw it in a repo I've got, specifically:
There is a dependency on package 'ws' at version ^1.1.0
https://github.com/react-native-community/cli/blob/master/packages/cli/package.json#L65
That version of ws and all versions up to 3.3.1 have a vulnerability triggers a github warning
https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
It appears the dependency needs a bump + test + patch release of the cli?
Should be easy? (famous last words!)
In case it is useful I provide links to the breaking changes releases for forward-porting reference
https://github.com/websockets/ws/releases/tag/2.0.0
https://github.com/websockets/ws/releases/tag/3.0.0
Getting to the tip of 3.x would fix the warning people see on Github, I believe
But here's the rest
https://github.com/websockets/ws/releases/tag/4.0.0
https://github.com/websockets/ws/releases/tag/5.0.0
https://github.com/websockets/ws/releases/tag/6.0.0
https://github.com/websockets/ws/releases/tag/7.0.0
mikehardy
on 21 Sep 2019
👍1
A PR to update "ws" would be appreciated!
thymikee
on 21 Sep 2019
👍1
Here's how to test the change: https://github.com/react-native-community/cli/blob/master/CONTRIBUTING.md#running-start-command
thymikee
on 21 Sep 2019
I'll give it a shot but I'll admit my mild OCD is totally triggered by this report :-)
May I also assume that for something as fundamental as the websocket layer that the CI will also exercise it?
mike@isabela:~/work/react-random/cli (master) % yarn outdated
yarn outdated v1.17.3
info Color legend :
"<red>" : Major Update backward-incompatible updates
"<yellow>" : Minor Update backward-compatible features
"<green>" : Patch Update backward-compatible bug fixes
Package Current Wanted Latest Workspace Package Type URL
@babel/core 7.1.2 7.6.0 7.6.0 dependencies https://babeljs.io/
@babel/plugin-transform-modules-commonjs 7.2.0 7.6.0 7.6.0 dependencies https://github.com/babel/babel/tree/master/packages/babel-plugin-transform-modules-commonjs
@babel/preset-env 7.2.3 7.6.0 7.6.0 dependencies https://babeljs.io/
@babel/preset-typescript 7.3.3 7.6.0 7.6.0 dependencies https://github.com/babel/babel/tree/master/packages/babel-preset-typescript
@hapi/joi 15.0.3 15.1.1 16.1.4 @react-native-community/cli dependencies https://github.com/hapijs/joi#readme
@types/execa 0.9.0 0.9.0 2.0.0 @react-native-community/cli-platform-android devDependencies
@types/jest 24.0.11 24.0.18 24.0.18 dependencies https://github.com/DefinitelyTyped/DefinitelyTyped.git
@types/lodash 4.14.123 4.14.138 4.14.138 @react-native-community/cli-tools devDependencies https://github.com/DefinitelyTyped/DefinitelyTyped.git
@types/node 8.10.51 8.10.54 12.7.5 dependencies https://github.com/DefinitelyTyped/DefinitelyTyped.git
@types/node-fetch 2.3.7 2.5.1 2.5.1 dependencies https://github.com/DefinitelyTyped/DefinitelyTyped.git
@types/node-fetch 2.3.3 2.5.1 2.5.1 @react-native-community/cli-tools devDependencies https://github.com/DefinitelyTyped/DefinitelyTyped.git
babel-jest 24.7.1 24.9.0 24.9.0 dependencies https://github.com/facebook/jest.git
chalk 1.1.3 1.1.3 2.4.2 react-native-cli dependencies https://github.com/chalk/chalk#readme
commander 2.19.0 2.20.0 3.0.1 @react-native-community/cli dependencies https://github.com/tj/commander.js#readme
compression 1.7.3 1.7.4 1.7.4 @react-native-community/cli dependencies https://github.com/expressjs/compression#readme
connect 3.6.6 3.7.0 3.7.0 @react-native-community/cli dependencies https://github.com/senchalabs/connect#readme
cosmiconfig 5.2.0 5.2.1 5.2.1 @react-native-community/cli dependencies https://github.com/davidtheclark/cosmiconfig#readme
deepmerge 3.2.0 3.3.0 4.0.0 @react-native-community/cli dependencies https://github.com/TehShrike/deepmerge
envinfo 7.1.0 7.3.1 7.3.1 @react-native-community/cli dependencies https://github.com/tabrindle/envinfo#readme
errorhandler 1.5.0 1.5.1 1.5.1 @react-native-community/cli dependencies https://github.com/expressjs/errorhandler#readme
eslint 5.10.0 5.16.0 6.4.0 dependencies https://eslint.org
eslint-plugin-import 2.17.0 2.18.2 2.18.2 dependencies https://github.com/benmosher/eslint-plugin-import
execa 1.0.0 1.0.0 2.0.4 dependencies https://github.com/sindresorhus/execa#readme
execa 1.0.0 1.0.0 2.0.4 @react-native-community/cli dependencies https://github.com/sindresorhus/execa#readme
execa 1.0.0 1.0.0 2.0.4 @react-native-community/cli-platform-android dependencies https://github.com/sindresorhus/execa#readme
flow-bin 0.107.0 0.107.0 0.108.0 dependencies https://github.com/flowtype/flow-bin#readme
flow-typed 2.5.1 2.6.1 2.6.1 dependencies https://github.com/flow-typed/flow-typed#readme
fs-extra 7.0.1 7.0.1 8.1.0 @react-native-community/cli dependencies https://github.com/jprichardson/node-fs-extra
glob 7.1.3 7.1.4 7.1.4 @react-native-community/cli dependencies https://github.com/isaacs/node-glob#readme
graceful-fs 4.2.0 4.2.2 4.2.2 @react-native-community/cli dependencies https://github.com/isaacs/node-graceful-fs#readme
inquirer 3.3.0 3.3.0 7.0.0 @react-native-community/cli dependencies https://github.com/SBoudrias/Inquirer.js#readme
jest 24.7.1 24.9.0 24.9.0 dependencies https://jestjs.io/
jetifier 1.6.2 1.6.4 1.6.4 @react-native-community/cli-platform-android dependencies https://github.com/mikehardy/jetifier#readme
lerna 3.14.0 3.16.4 3.16.4 dependencies https://github.com/lerna/lerna#readme
lodash 4.17.13 4.17.15 4.17.15 @react-native-community/cli dependencies https://lodash.com/
lodash 4.17.13 4.17.15 4.17.15 @react-native-community/cli-tools dependencies https://lodash.com/
logkitty 0.6.0 0.6.1 0.6.1 @react-native-community/cli-platform-android dependencies https://github.com/zamotany/logkitty
micromatch 3.1.10 3.1.10 4.0.2 dependencies https://github.com/micromatch/micromatch
mime 2.4.1 2.4.4 2.4.4 @react-native-community/cli-tools dependencies https://github.com/broofa/node-mime#readme
node-fetch 2.5.0 2.6.0 2.6.0 @react-native-community/cli-tools dependencies https://github.com/bitinn/node-fetch
node-notifier 5.4.0 5.4.3 5.4.3 @react-native-community/cli dependencies https://github.com/mikaelbr/node-notifier#readme
open 6.2.0 6.4.0 6.4.0 @react-native-community/cli dependencies https://github.com/sindresorhus/open#readme
prompt 0.2.14 0.2.14 1.0.0 react-native-cli dependencies https://github.com/flatiron/prompt#readme
semver 5.6.0 5.7.1 6.3.0 react-native-cli dependencies https://github.com/npm/node-semver#readme
serve-static 1.13.2 1.14.1 1.14.1 @react-native-community/cli dependencies https://github.com/expressjs/serve-static#readme
shell-quote 1.6.1 1.6.1 1.7.2 @react-native-community/cli dependencies https://github.com/substack/node-shell-quote
snapshot-diff 0.5.1 0.5.2 0.5.2 @react-native-community/cli devDependencies https://github.com/thymikee/snapshot-diff
string-length 2.0.0 2.0.0 3.1.0 dependencies https://github.com/sindresorhus/string-length#readme
typescript 3.6.2 3.6.3 3.6.3 dependencies https://www.typescriptlang.org/
ws 1.1.5 1.1.5 7.1.2 @react-native-community/cli dependencies https://github.com/websockets/ws
Was this page helpful?
0 / 5 - 0 ratings
Related issues
gre-dev
路
3Comments
owinter86
路
3Comments
openmaya
路
4Comments
mauricioscotton
路
3Comments
ferrannp
路
4Comments