React-dev-utils, a package crucial for developers building Create React App projects, provides a suite of webpack utilities, streamlining the development workflow. Comparing versions 0.5.0 and 0.5.1 reveals subtle but important refinements. Both versions share identical dependencies: opn, chalk, ansi-html, strip-ansi, html-entities, sockjs-client, and escape-string-regexp, indicating that the core functionality remains consistent. These dependencies handle tasks from opening URLs in the browser (opn) to styling console output (chalk, ansi-html, strip-ansi) and dealing with HTML entities (html-entities).
The key difference lies in the release date. Version 0.5.1 was released on February 26, 2017, while version 0.5.0 was released on February 11, 2017. This 15 day gap suggests that version 0.5.1 likely incorporates bug fixes, minor performance improvements, or small refinements based on user feedback from version 0.5.0. For developers using react-dev-utils, upgrading to the latest version (0.5.1 in this case) is generally recommended to benefit from these improvements and ensure compatibility with other Create React App components. Always check the changelog for detailed information on what has changed. Since these versions are quite old, consider upgrading to a more recent version of react-dev-utils for the latest features and security patches.
All the vulnerabilities related to the version 0.5.1 of the package
react-dev-utils OS Command Injection in function getProcessForPort
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
Uncontrolled Resource Consumption in ansi-html
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Exposure of Sensitive Information in eventsource
When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."
