Fresh init uses vulnerable shell-quote dependency

Expo SDK
1

Please provide the following:

  1. SDK Version: 45
  2. Platforms(Android/iOS/web/all): All
  3. Add the appropriate “Tag” based on what Expo library you have a question on.

Hi, recently started a new project which I intend to do as “professionally” as I possibly can. So I initialised a new expo project and with a blank typescript template, set-up firebase, etc… When I was done setting up the project I uploaded it to Github. Github dependabot then alerted me that I had a critical security vulnerability (9.8) in my package-lock.json file. Because I want to do this project properly I wanted to solve the issue, but npm audit fix doesn’t fix the problem and npm audit fix --force will upgrade react-native to 0.69 which does even more harm. I thought it might be some of the packages i’ve installed, but I created a new project without these installs and the same problem arises.

So now I’m left with questions:

  1. How bad is it? I know that it is almost impossible to have an entire project without these alerts. But how about this one? Is it “ignorable” because its a cli-tool?

  2. Is it fixable in any way?

  3. If its bad and isn’t fixable, why is it included in SDK?

# npm audit report

shell-quote  <=1.7.2
Severity: critical
Improper Neutralization of Special Elements used in a Command in Shell-quote - https://github.com/advisories/GHSA-g4rg-993r-mgx7
fix available via `npm audit fix --force`
Will install react-native@0.69.0, which is a breaking change
node_modules/shell-quote
  @react-native-community/cli-tools  4.8.0 - 5.0.0-alpha.0 || 5.0.1-alpha.0 - 6.2.0
  Depends on vulnerable versions of shell-quote
  node_modules/@react-native-community/cli-tools
    @react-native-community/cli  4.8.0 - 7.0.3
    Depends on vulnerable versions of @react-native-community/cli-hermes
    Depends on vulnerable versions of @react-native-community/cli-plugin-metro
    Depends on vulnerable versions of @react-native-community/cli-server-api
    Depends on vulnerable versions of @react-native-community/cli-tools
    node_modules/@react-native-community/cli
      react-native  <=0.0.0-ffdfbbec0 || 0.63.3 - 0.68.2
      Depends on vulnerable versions of @react-native-community/cli
      node_modules/react-native
    @react-native-community/cli-hermes  <=6.3.0
    Depends on vulnerable versions of @react-native-community/cli-platform-android
    Depends on vulnerable versions of @react-native-community/cli-tools
    node_modules/@react-native-community/cli-hermes
    @react-native-community/cli-platform-android  4.8.0 - 6.3.0
    Depends on vulnerable versions of @react-native-community/cli-tools
    node_modules/@react-native-community/cli-hermes/node_modules/@react-native-community/cli-platform-android
    @react-native-community/cli-plugin-metro  <=7.0.3
    Depends on vulnerable versions of @react-native-community/cli-server-api
    Depends on vulnerable versions of @react-native-community/cli-tools
    node_modules/@react-native-community/cli-plugin-metro
    @react-native-community/cli-server-api  <=7.0.3
    Depends on vulnerable versions of @react-native-community/cli-tools
    node_modules/@react-native-community/cli-server-api
2

shell-quote is used by react-devtools-core and @react-native-community/cli-tools

As you seem to understand, it’s not something that will be included in your actual app. I am not sure exactly how it is used by the above packages, but it seems unlikely to cause you any security problems even in development. Unless you somehow allow random users on the Internet to run expo commands via a web interface or something :sweat_smile:

I’ve just had a look at how shell-quote is used and it seems it is only used to parse the REACT_EDITOR environment variable if that environment variable is set. So as long as malicious people can’t set that environment variable on your machine it seems you should be safe.

I don’t know. You could possibly use patch-package to patch the things that depend on it to use a later version. Of course that may cause something to break. But I’m not sure that it’s actually used by Expo at all.

Given that it only seems to be used to parse REACT_EDITOR it should in theory not break anything, except possibly if you make use of that environment variable.

It’s used only in one specific way by the React Native tools only during development so as far as I’m concerned it is low risk.

Unfortunately, npm audit is problematic:

1 Like
3

Thank you so much for well explained answer and the link to the article! This has helped a lot :slight_smile:

1 Like
4

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.