-
Notifications
You must be signed in to change notification settings - Fork 46.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: 4 Electron (react-devtools dep) security advisories #19279
Comments
dobrite
added
the
Status: Unconfirmed
A potential issue that we haven't yet confirmed as a bug
label
Jul 8, 2020
Interested in contributing the ugprade? |
bvaughn
added
Component: Developer Tools
good first issue
Type: Security
and removed
Status: Unconfirmed
A potential issue that we haven't yet confirmed as a bug
labels
Jul 8, 2020
I'm interested but unfortunately I do not have time to dedicate to moving this through. Hopefully someone else will jump in and tackle this. |
Looks like someone else jumped on it already 😄 I'll review the PR in the morning. |
Fix published as v4.8 https:/facebook/react/blob/master/packages/react-devtools/CHANGELOG.md#480-july-9-2020 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
React version:
16.8.6
There were 4 security issues filed against
electron
, whichreact-devtools
has as a dep. The lowest version that fixes all 4 is7.2.4
but the version requirement ofelectron
forreact-devtools
is^5.0.0
.I freely admit that a good solution is to install
react-devtools
as a dev dependency, but for "reasons" that does not work for us. There are likely others out there in similar situations.These were buried deep in the releases so I am including the links here:
Electron Changelog from 5 -> 6
Electron Changelog from 6 -> 7
Thank you so much for any advice that you may be able to provide. Also thank you for all the work that you do. React, it's community, and it's ecosystem are awesome! 😎
The text was updated successfully, but these errors were encountered: