Cli: Logkitty vulnerability

Created on 5 Jun 2020  路  8Comments  路  Source: react-native-community/cli

Hi, today I recieved an alert from GitHub. It says that i should update logkitty to 0.7.1, but I dont know how ?

Some help pls

question
Source
picture SuriSureda

Most helpful comment

No, I'm not saying that. Never tweak dependencies in your lock file, only remove whole entries and let the package manager regenerate it. You'll find detailed instructions on how to manually remove stuff from yarn lock here.

However, in your case, because you're not on the latest RN version, which uses CLI v4, you'll need to use Yarn's resolutions field so it can resolve all logkitty deps to a single version you care about.

picture thymikee on 17 Jun 2020
👀1 🚀11 🎉1 👍1

All 8 comments

Upgrade logkitty to the latest version. It's also included in the latest version of CLI.

thymikee picture thymikee on 5 Jun 2020
👎4

@thymikee but we don't have Logkitty as a dependency on our package.json. How should we upgrade?

nelsonprsousa picture nelsonprsousa on 6 Jun 2020

You can regenerate your lock file, e.g. by removing cli entries from it and install again.

thymikee picture thymikee on 6 Jun 2020
👍1

Unfortunately for those of us still running react-native 0.61.5, it has dependencies on the cli packages ^3.0.0 which do not appear to include the updated logkitty dependency. Any chance of the security update going into a 3.2.x release @thymikee ?

lafiosca picture lafiosca on 9 Jun 2020

We accept PRs :)

thymikee picture thymikee on 9 Jun 2020
👍1

@thymikee I think you want to say that we should change the following manually:

from

"react-native@https://github.com/expo/react-native/archive/sdk-37.0.1.tar.gz":
version "0.61.4"
resolved "https://github.com/expo/react-native/archive/sdk-37.0.1.tar.gz#69f3f63c36c9df52611847a67c9d94596c1754cc"
dependencies:
"@babel/runtime" "^7.0.0"
"@react-native-community/cli" "^3.0.0-alpha.1"
"@react-native-community/cli-platform-android" "^3.0.0-alpha.1"
"@react-native-community/cli-platform-ios" "^3.0.0-alpha.1"

to

"react-native@https://github.com/expo/react-native/archive/sdk-37.0.1.tar.gz":
version "0.61.4"
resolved "https://github.com/expo/react-native/archive/sdk-37.0.1.tar.gz#69f3f63c36c9df52611847a67c9d94596c1754cc"
dependencies:
"@babel/runtime" "^7.0.0"
"@react-native-community/cli" "^4.0.0"
"@react-native-community/cli-platform-android" "4.0.0"
"@react-native-community/cli-platform-ios" "4.0.0"

And then run the following command:
yarn upgrade

Please correct me if I'm wrong.

theutkarshsoni picture theutkarshsoni on 17 Jun 2020

No, I'm not saying that. Never tweak dependencies in your lock file, only remove whole entries and let the package manager regenerate it. You'll find detailed instructions on how to manually remove stuff from yarn lock here.

However, in your case, because you're not on the latest RN version, which uses CLI v4, you'll need to use Yarn's resolutions field so it can resolve all logkitty deps to a single version you care about.

thymikee picture thymikee on 17 Jun 2020
👀1 🚀11 🎉1 👍1

As you mentioned, I used yarn's resolutions and it worked. Thanks to @thymikee .

I added following into my app.json file.

"resolutions": { "logkitty": "^0.7.1" }

theutkarshsoni picture theutkarshsoni on 17 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lucasbento picture lucasbento  路  3Comments
owinter86 picture owinter86  路  3Comments
Steffi3rd picture Steffi3rd  路  3Comments
patrickkempff picture patrickkempff  路  4Comments
gitowiec picture gitowiec  路  3Comments