React: Security: 4 Electron (react-devtools dep) security advisories

Created on 8 Jul 2020  路  4Comments  路  Source: facebook/react

React version: 16.8.6

There were 4 security issues filed against electron, which react-devtools has as a dep. The lowest version that fixes all 4 is 7.2.4 but the version requirement of electron for react-devtools is ^5.0.0.

I freely admit that a good solution is to install react-devtools as a dev dependency, but for "reasons" that does not work for us. There are likely others out there in similar situations.

These were buried deep in the releases so I am including the links here:

Electron Changelog from 5 -> 6
Electron Changelog from 6 -> 7

Thank you so much for any advice that you may be able to provide. Also thank you for all the work that you do. React, it's community, and it's ecosystem are awesome! 馃槑

Developer Tools Security good first issue (taken)
Source
picture dobrite

All 4 comments

Interested in contributing the ugprade?

bvaughn picture bvaughn on 8 Jul 2020
👍1

I'm interested but unfortunately I do not have time to dedicate to moving this through. Hopefully someone else will jump in and tackle this.

dobrite picture dobrite on 8 Jul 2020

Looks like someone else jumped on it already :smile: I'll review the PR in the morning.

bvaughn picture bvaughn on 9 Jul 2020
😄1

Fix published as v4.8

https://github.com/facebook/react/blob/master/packages/react-devtools/CHANGELOG.md#480-july-9-2020

bvaughn picture bvaughn on 9 Jul 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kocokolo picture kocokolo  路  3Comments
varghesep picture varghesep  路  3Comments
h1orz picture h1orz  路  3Comments
zpao picture zpao  路  3Comments
zpao picture zpao  路  3Comments