[DevTools Bug]: react-devtools depends on vulnerable version of electron #25667

slobo80 · 2022-11-11T12:15:45Z

Website or app

https://github.com/facebook/react/blob/main/packages/react-devtools/package.json

Repro steps

Issue

electron package versions <18.3.7 suffer from a security vulnerability: "Exfiltration of hashed SMB credentials on Windows via file:// redirect".
See GHSA-p2jh-44qj-pf2v

Solution

Upgrade electron dependency in react-devtools to >18.3.7

How often does this bug happen?

Every time

DevTools package (automated)

No response

DevTools version (automated)

No response

Error message (automated)

No response

Error call stack (automated)

No response

Error component stack (automated)

No response

GitHub query string (automated)

No response

a7madgamal · 2023-03-07T12:25:50Z

yes, it's also too old that It's not working on latest MacOS. when I debugged it seems it can't open electron

…#26337) ## Summary resolves #25667 This PR also resolves several security issues in the standalone app ## How did you test this change? Tested locally `yarn start` in react-devtools package. Everything works normal --- - To see the specific tasks where the Asana app for GitHub is being used, see below: - https://app.asana.com/0/0/1204123419819195

slobo80 added Component: Developer Tools Status: Unconfirmed A potential issue that we haven't yet confirmed as a bug Type: Bug labels Nov 11, 2022

mondaychen self-assigned this Nov 30, 2022

mondaychen mentioned this issue Mar 7, 2023

[DevTools] upgrade electron to latest version & security improvements #26337

Merged

mondaychen closed this as completed in #26337 Mar 8, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DevTools Bug]: react-devtools depends on vulnerable version of electron #25667

[DevTools Bug]: react-devtools depends on vulnerable version of electron #25667

slobo80 commented Nov 11, 2022

a7madgamal commented Mar 7, 2023

[DevTools Bug]: react-devtools depends on vulnerable version of electron #25667

[DevTools Bug]: react-devtools depends on vulnerable version of electron #25667

Comments

slobo80 commented Nov 11, 2022

Website or app

Repro steps

Issue

Solution

How often does this bug happen?

DevTools package (automated)

DevTools version (automated)

Error message (automated)

Error call stack (automated)

Error component stack (automated)

GitHub query string (automated)

a7madgamal commented Mar 7, 2023