11

Here's a fix for the following vulnerability:

Critical        Prototype Pollution in immer                                  

Package         immer                                                         

Patched in      >=9.0.6                                                       

Dependency of   react-scripts                                                 

Path            react-scripts > react-dev-utils > immer                       

More info       https://github.com/advisories/GHSA-33f9-j839-rf8h

Fix:

  1. Install the patched version of immer, in this case 9.0.6, using the following command:

     npm install --save immer@9.0.6

  2. Update the package.json file with npm update.

    IMPORTANT NOTE: if at this point the vulnerability is still present, you can do the following ONLY if you know this will not break your code or mess up dependencies for previous versions or other packages of your project. I'm the only person working on my project, so this fix works in my scenario.

  3. In your package-lock.json file, find the outdated package, in my case:

             "immer": {
             "version": "8.0.1",
             "resolved": "https://registry.npmjs.org/immer/-/immer-8.0.1.tgz",
             "integrity": "sha512-aqXhGP7//Gui2+UrHtvxZxSquQVXTpZ7KDxfCcKAF3Vysvw0CViVaH9RZ1j1xlIYqaaaipBoqcqeibkc17PNvF=="
         },

    and straight-up delete it.

This fix seems not very sustainable for all packages/dependencies, but who knows? If there are better ways, let the community know.

Juno Sprite
  • 569
  • 6
  • 12
  • I'm facing the same issue as well. Also, manually updating the package-lock.json is again lost if any of the Devs run `npm run audit --force`. – Sriram R Nov 11 '21 at 13:43
  • 1
    I followed your advice, did not work; even after following these steps I am still stuck on the same issue; Critical Prototype Pollution in immer Package immer Patched in >=9.0.6 Dependency of react-scripts Path react-scripts > react-dev-utils > immer – bilaalsblog Nov 19 '21 at 00:04
  • This turned out to be a temporary fix anyway. I'm just ignoring it for the time being. I'll return after launch of my site. I should really fix it by then, ya know? – Juno Sprite Nov 19 '21 at 02:05
  • I updated it manually. Not sure if it's right. Just go node_fodules folder, find package that has outdated immer, then find immer package in the child folders and delete all files. The install immer as a root package and move files to that folder. In the end update version number in package-lock.json and remove installed package from the root. – Volodymyr Mar 23 '22 at 08:58

1 Answers1

0

Your fix should be good enough to patch that critical vulnerability, though as you've identified it tends to be fragile and easy to undo.

If possible, update to react-scripts@^5.0.0 or later. It has already upgraded transitively via react-dev-utils to immer@^9.0.7.

If for whatever reason (e.g. removed polyfills or otherwise) you cannot upgrade react-scripts, I'd suggest after reviewing immer's breaking changes:

  1. npm-force-resolutions, add the following to package.json, then npm install:
      "resolutions": {
        "immer": "9.0.12"
      },
      "scripts": {
        "preinstall": "npx npm-force-resolutions"
      },
  1. OR yarn resolutions add the following to package.json, then yarn install:
      "resolutions": {
        "immer": "9.0.12"
      },

Of course, if someone else finds another vulnerability in immer in future, you'll need to repeat this with a later version.

P.S. Sorry for answering what I'm sure is a duplicate question, though no obvious one to link to jumps out at me right now.

pzrq
  • 1,626
  • 1
  • 18
  • 24
  • 1
    I appreciate it! This might be a duplicate, but I looked high and low for similar questions and came up empty-handed. Who knew I would actually have to read the docs to figure this our? My main issue was my significant gap in knowledge on how package versions work and are supposed to be upgraded. It was very confusing at first! I use `yarn` now, though, and that has proven extremely helpful in managing packages. – Juno Sprite Apr 18 '22 at 22:31