[Snyk] Security upgrade react-native from 0.75.4 to 0.76.0 #255
Conversation
…nerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
|
Review changes with Changed Files
|
Reviewer's Guide by SourceryThis PR is a security upgrade that updates react-native from version 0.75.4 to 0.76.0 to address a high-severity Regular Expression Denial of Service (ReDoS) vulnerability in the cross-spawn dependency. The changes are implemented through direct version updates in the package.json and yarn.lock files. No diagrams generated as the changes look simple and do not need a visual representation. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
👋 Hi there!Everything looks good!
|
|
Korbit doesn't automatically review large (500+ lines changed) pull requests such as this one. If you want me to review anyway, use |
|
Lack of Resources and Rate Limiting
DescriptionWhilst the internet may often seem as though it were boundless, it is still bound by a finite amount of computing resources and subject to limitations, with only so much bandwidth, CPU processing power, memory allocation, and storage to go around. At the individual level, for example, think of the last time you tried to spin up that third virtual machine while the host browser was feverishly feeding your multiple open tab habit... resource limitations in action! And although this illustration depicts a non-malicious - indeed, self-imposed - consequence of overload for an individual laptop, there are, unfortunately, attacks that leverage resource and rate limitations of web applications and APIs that have not been configured correctly. Application requests are pretty much what make the internet the internet, with some estimates suggesting that API requests alone make up over 83% of all web traffic. Applications perform day-to-day functions adequately when the request parameters governing the numbers of processes, size of payloads, etc., are set at the appropriate minimums and maximums. However, when the aforementioned resources are incorrectly assigned, applications are not only subject to poor or non-existent performance, but they can also be commandeered by malicious actors to disrupt and deny service. According to OWASP's API4:2019 Lack of Resources & Rate Limiting post, APIs, for example, are vulnerable if even just one of the below limits is lacking or incorrectly set:
Bottom line: set one of the above too low or too high, and your application is at risk. Read moreImpactWhatever the type of application, inadequately configured resource allocation, and rate limits are routinely targeted by attackers. Attacks such as these undermine reliability and availability of entire ecosystems, inevitably resulting in financial and reputational loss. ScenariosSuppose an API is tasked with the retrieval of user-profiles and their corresponding details, providing, as most APIs do, access to its resources that take the form of lists of entities. A set limit of returnable items would typically confine a client filtering this list.
An astute observer will have noticed that the request here would return page 1 and the first 9000000 users, which certainly seems like an above-average number of users for just one page! This attack would succeed to overwhelm the API if the size parameter was improperly validated. PreventionAttacks targeting application misconfigurations that allow unbridled resources and limits are common - the exploitation is uncomplicated and requires minimal resources to execute. Fortunately, robust defense is reasonably straightforward to implement so long as attention is paid to limits that dictate finite resources, i.e., the abovementioned CPU processing power, memory allocation, number of processes and file descriptors, etc. Prevention strategies include:
TestingVerify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever-increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar.
ReferencesAkamai - State of Internet Security |
Please double check the following review of the pull request:Issues counts
Changes in the diff
Identified IssuesNo issues were found in the proposed changes. ExplanationThe proposed change is a straightforward version update of the Missing TestsSince the change is purely a version update of a dependency and does not involve any code logic changes, there are no specific tests to be generated for this update. However, it is recommended to run the existing test suite to ensure that the update does not introduce any regressions or compatibility issues. Summon me to re-review when updated! Yours, Gooroo.dev |
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
gstraccini
bot
added
the
☑️ auto-merge
![gstraccini[bot]](https://avatars.githubusercontent.com/in/480132?s=60&v=4){kind=small}
github-actions
bot
added
the
size/XXL
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
|
Infisical secrets check: 🚨 Secrets leaked! Caution The Infisical CLI tool found secrets leaked in your repository. 💻 Scan logs🔎 Detected secrets in your GIT historyWarning The above table only displays the first 10 leaked secrets. 🐾 Secrets fingerprintTip If you want to ignore these leaked secrets, add the above fingerprint content to a file named |
|
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is a deprecated package?The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed. Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. What is filesystem access?Accesses the file system, and could potentially read sensitive data. If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. What are unmaintained packages?Package has not been updated in more than 5 years and may be unmaintained. Problems with the package may go unaddressed. Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. What is new author?A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package. Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. What is environment variable access?Package accesses environment variables, which may be a sign of credential stuffing or data theft. Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. What is network access?This module accesses the network. Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. What is an AI-detected potential code anomaly?AI has identified unusual behaviors that may pose a security risk. An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. What is dynamic code execution?Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior. Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
Potential issues, bugs, and flaws that can introduce unwanted behavior
Code suggestions and improvements
|
|
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
StreamUpload/package.jsonStreamUpload/yarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-CROSSSPAWN-8303230
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
Summary by Sourcery
Bug Fixes: