React Dev Utils, a set of Webpack utilities crucial for Create React App projects, saw a notable update from version 0.4.2 to 0.5.0. While both versions share core dependencies like opn, chalk, ansi-html, strip-ansi, html-entities, and escape-string-regexp, a key difference lies in the sockjs-client dependency. Version 0.4.2 relies on sockjs-client version 1.0.3, while version 0.5.0 utilizes version 1.0.1. This discrepancy could indicate a fix or adjustment related to websocket communication and hot module replacement within development environments. Developers should investigate potential breaking changes or performance implications stemming from this dependency version difference when upgrading.
The update was released on February 11, 2017, a little over a month after 0.4.2 (December 11, 2016). Furthermore, the repository URL has been enriched including "git+" for better version control referencing. By examining the commit history between these two versions on the Create React App GitHub repository, developers and users can gain a better understanding of the specific bug fixes, performance improvements, or new features introduced. Therefore, anyone building projects using Create React App should stay informed about such updates to ensure a smooth development experience and optimal performance.
All the vulnerabilities related to the version 0.5.0 of the package
react-dev-utils OS Command Injection in function getProcessForPort
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
Uncontrolled Resource Consumption in ansi-html
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Exposure of Sensitive Information in eventsource
When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."
