Please provide the following:
- SDK Version: 45
- Platforms(Android/iOS/web/all): All
- Add the appropriate “Tag” based on what Expo library you have a question on.
Hi, recently started a new project which I intend to do as “professionally” as I possibly can. So I initialised a new expo project and with a blank typescript template, set-up firebase, etc… When I was done setting up the project I uploaded it to Github. Github dependabot then alerted me that I had a critical security vulnerability (9.8) in my package-lock.json file. Because I want to do this project properly I wanted to solve the issue, but npm audit fix doesn’t fix the problem and npm audit fix --force will upgrade react-native to 0.69 which does even more harm. I thought it might be some of the packages i’ve installed, but I created a new project without these installs and the same problem arises.
So now I’m left with questions:
-
How bad is it? I know that it is almost impossible to have an entire project without these alerts. But how about this one? Is it “ignorable” because its a cli-tool?
-
Is it fixable in any way?
-
If its bad and isn’t fixable, why is it included in SDK?
# npm audit report
shell-quote <=1.7.2
Severity: critical
Improper Neutralization of Special Elements used in a Command in Shell-quote - https://github.com/advisories/GHSA-g4rg-993r-mgx7
fix available via `npm audit fix --force`
Will install react-native@0.69.0, which is a breaking change
node_modules/shell-quote
@react-native-community/cli-tools 4.8.0 - 5.0.0-alpha.0 || 5.0.1-alpha.0 - 6.2.0
Depends on vulnerable versions of shell-quote
node_modules/@react-native-community/cli-tools
@react-native-community/cli 4.8.0 - 7.0.3
Depends on vulnerable versions of @react-native-community/cli-hermes
Depends on vulnerable versions of @react-native-community/cli-plugin-metro
Depends on vulnerable versions of @react-native-community/cli-server-api
Depends on vulnerable versions of @react-native-community/cli-tools
node_modules/@react-native-community/cli
react-native <=0.0.0-ffdfbbec0 || 0.63.3 - 0.68.2
Depends on vulnerable versions of @react-native-community/cli
node_modules/react-native
@react-native-community/cli-hermes <=6.3.0
Depends on vulnerable versions of @react-native-community/cli-platform-android
Depends on vulnerable versions of @react-native-community/cli-tools
node_modules/@react-native-community/cli-hermes
@react-native-community/cli-platform-android 4.8.0 - 6.3.0
Depends on vulnerable versions of @react-native-community/cli-tools
node_modules/@react-native-community/cli-hermes/node_modules/@react-native-community/cli-platform-android
@react-native-community/cli-plugin-metro <=7.0.3
Depends on vulnerable versions of @react-native-community/cli-server-api
Depends on vulnerable versions of @react-native-community/cli-tools
node_modules/@react-native-community/cli-plugin-metro
@react-native-community/cli-server-api <=7.0.3
Depends on vulnerable versions of @react-native-community/cli-tools
node_modules/@react-native-community/cli-server-api