Razzle: Dependancy "immer" high vulnerability risk
Current Behavior
It seems like one of your nested dependencies is introducing a security issue.
image
Expected behavior
There are no high-security issues in the repo or any underlying dependency.
Suggested solution(s)
Would it be possible to upgrade that dependency as they have already fixed that? Or should it be addressed inside the "user's" repo with some npm resolution?
matt-catellier
All 6 comments
Any action on this?
matt-catellier
on 24 Feb 2021
https://github.com/immerjs/immer/releases/tag/v8.0.0, there is one breaking change, that has some fallback. Not sure that any environment logic is applicable for a library.
Would be amazing if somebody could have a look at that before Razzle v.4. Not sure how many breaking changes it will introduce. But for bigger codebases, it could be quite difficult to update major versions.
GLObus303
on 3 Mar 2021
Just to unwind the action that would be required to address this, react-dev-utils updated their dependency to [email protected] in their 11.0.3 release, which would be a major version bump in that dependency for razzle-dev-utils and for razzle.
esimons
on 11 Mar 2021
Fixed in v4
fivethreeo
on 25 Mar 2021
Fixed in v4
Thank you. Any plans on fixing this on v3 as well?
EvanCoh
on 29 Mar 2021
No plans on fixing this in 3.x since 3.x is prone to break on dep updates. It is only a dev dependency aswell that is only used in dev. So will not affect any production code.
fivethreeo
on 30 Mar 2021
Related issues
piersolenski
路
4Comments
pseudo-su
路
3Comments
jcblw
路
4Comments
dizzyn
路
3Comments
corydeppen
路
3Comments
Most helpful comment
Fixed in v4