Jest: `merge` package `v1.2.0` has CVE-2018-16469 vulnerability

Created on 1 Nov 2018 · 3Comments · Source: facebook/jest

jest-haste-map indirectly depends on merge v1.2.0, which has a vulnerability

I have traced the dependency tree:

$ yarn why merge
yarn why v1.7.0
[1/4] Why do we have the module "merge"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#jest-haste-map#sane#exec-sh" depends on it
   - Hoisted from "_project_#jest-haste-map#sane#exec-sh#merge"
...

The current version of exec-sh (v0.3.2) has removed the merge dependency.
The current version of sane (v4.0.1), however, still uses the v0.2.0 version of exec-sh.

To remove this vulnerability from jest-haste-map, either:

1) Ignore it / wait for it to get patched later (since it's 'only' a dev dependency)
2) Remove / replace the sane package
3) Wait for this PR to be merged and upgrade to the latest version of sane

Upstream Bug

Source

d4nyll

👍44

Most helpful comment

I've made a PR here #7322 to upgrade sane to 4.0.2 to fix this.

iamkun on 2 Nov 2018

👍16

All 3 comments

I've made a PR here #7322 to upgrade sane to 4.0.2 to fix this.

iamkun on 2 Nov 2018

👍16

Because caret ranges are used to define the dependencies, a possible workaround is to ensure the newer fixed version of merge (1.2.1) is being used:

$ rm -rf package-lock.json node_modules
$ npm i

frosas on 7 Nov 2018

👍1

8048

SimenB on 5 Mar 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Running global `jest-cli` should warn instead of error

mmcgahan · 3Comments

more cli options and cli options documentation

kentor · 3Comments

Jest fails when not using Babel

ianp · 3Comments

Jest for react-native does not recognize all props for <TouchableHighlight />

rosiakr · 3Comments

Update jQuery Tutorial

hramos · 3Comments