Dependency Vulnerabilities with React 0.55.4


#1

I understand why Expo v 29 stuck with React Native v 0.55.4, but the ws package dependency has a high vulnerability that would be resolved with a version update.

The vulnerable version of ws is a dependency the outdated version of react-devtools-core.

Is there any chance we can get a patch to bump the version of react-devtools-core from 3.1.0 to 3.2.2 to resolve this?


#2

Any feedback here??


#3

The vulnerability page you linked to shows that the ws module can crash if someone sends you a specially-crafted header. This could be an issue in production services as an attacker could take them down but for React Native the threat would be that an attacker – with access and knowledge to your local development server – could crash your development server and you’d have to restart it. Given this context the severity of the vulnerability seems very different than in a scenario with a publicly exposed production server.

So basically I would posit that for Expo, the bug in ws is minor and worth fixing but not a reason for panic.


closed #4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.