Skip to content

fix: prototype pollution in immer by upgrading to @gorhom/portal v1.0.9 #669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gorhom merged 1 commit into from
Oct 3, 2021
Merged

fix: prototype pollution in immer by upgrading to @gorhom/portal v1.0.9 #669

gorhom merged 1 commit into from
Oct 3, 2021

Conversation

@calintamas
Copy link

@calintamas calintamas commented Sep 29, 2021
edited
Loading

Motivation

Opening a very small PR that addresses a security vulnerability found in v2, explained in more detail below:

  • react-native-bottom-sheet v2.4.0 uses @gorhom/portal v1.0.4
  • @gorhom/portal v1.0.4 depends on immer v8.0.1
  • all immer versions under v9.0.6 suffer from this Prototype Pollution vulnerability

This PR bumps @gorhom/portal to v1.0.9 which no longer uses immer, hence "resolving" the vulnerability.

@gorhom Thank you for all the work on the library!

gorhom
gorhom approved these changes Sep 29, 2021
View reviewed changes
Copy link
Owner

@gorhom gorhom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @calintamas !

@gorhom gorhom added the v2 Written in Reanimated v1 label Sep 29, 2021
@gorhom gorhom merged commit b90a996 into gorhom:v2 Oct 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gorhom gorhom gorhom approved these changes

Assignees

No one assigned

Labels

v2 Written in Reanimated v1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@calintamas @gorhom