Please provide the following:
- SDK Version: 45
- Platforms(Android/iOS/web/all): All
- Add the appropriate “Tag” based on what Expo library you have a question on.
Hi, recently started a new project which I intend to do as “professionally” as I possibly can. So I initialised a new expo project and with a blank typescript template, set-up firebase, etc… When I was done setting up the project I uploaded it to Github. Github dependabot then alerted me that I had a critical security vulnerability (9.8) in my package-lock.json file. Because I want to do this project properly I wanted to solve the issue, but npm audit fix doesn’t fix the problem and npm audit fix --force will upgrade react-native to 0.69 which does even more harm. I thought it might be some of the packages i’ve installed, but I created a new project without these installs and the same problem arises.
So now I’m left with questions:
How bad is it? I know that it is almost impossible to have an entire project without these alerts. But how about this one? Is it “ignorable” because its a cli-tool?
Is it fixable in any way?
If its bad and isn’t fixable, why is it included in SDK?
# npm audit report shell-quote <=1.7.2 Severity: critical Improper Neutralization of Special Elements used in a Command in Shell-quote - https://github.com/advisories/GHSA-g4rg-993r-mgx7 fix available via `npm audit fix --force` Will install firstname.lastname@example.org, which is a breaking change node_modules/shell-quote @react-native-community/cli-tools 4.8.0 - 5.0.0-alpha.0 || 5.0.1-alpha.0 - 6.2.0 Depends on vulnerable versions of shell-quote node_modules/@react-native-community/cli-tools @react-native-community/cli 4.8.0 - 7.0.3 Depends on vulnerable versions of @react-native-community/cli-hermes Depends on vulnerable versions of @react-native-community/cli-plugin-metro Depends on vulnerable versions of @react-native-community/cli-server-api Depends on vulnerable versions of @react-native-community/cli-tools node_modules/@react-native-community/cli react-native <=0.0.0-ffdfbbec0 || 0.63.3 - 0.68.2 Depends on vulnerable versions of @react-native-community/cli node_modules/react-native @react-native-community/cli-hermes <=6.3.0 Depends on vulnerable versions of @react-native-community/cli-platform-android Depends on vulnerable versions of @react-native-community/cli-tools node_modules/@react-native-community/cli-hermes @react-native-community/cli-platform-android 4.8.0 - 6.3.0 Depends on vulnerable versions of @react-native-community/cli-tools node_modules/@react-native-community/cli-hermes/node_modules/@react-native-community/cli-platform-android @react-native-community/cli-plugin-metro <=7.0.3 Depends on vulnerable versions of @react-native-community/cli-server-api Depends on vulnerable versions of @react-native-community/cli-tools node_modules/@react-native-community/cli-plugin-metro @react-native-community/cli-server-api <=7.0.3 Depends on vulnerable versions of @react-native-community/cli-tools node_modules/@react-native-community/cli-server-api