`react-dev-utils`: Prototype Pollution in Immer

Created by: SalGnt-Dev

Describe the bug

The react-dev-utils package uses a vulnerable version (v8.0.4) of Immer.

The fix, commit fa671e5, is part of the v9.0.6 release. The react-dev-utils package should use this specific version of Immer.

GitHub CVE

• Prototype Pollution in immer (critical severity): CVE-2021-3757.
• Prototype Pollution in immer (high severity): CVE-2021-23436.

Created by: bpod

I'm seeing this issue flagged as a high vulnerability in our pipeline scan as well. However, I don't think this version of immer would ever be included in a final build since its only used by react-scripts.

Either way, Would love to see this addressed, thank you!

Created by: theKashey

The problem got multiplied by Storybook and potentially more projects which use react-dev-utils

Created by: DaisyyKM

Vulnerability is still there because we are not getting the updated version Linking my comment from PR http://metis.lti.cs.cmu.edu:8023/facebook/create-react-app/-/merge_requests/11364#issuecomment-938057494

Created by: furdzik

Any update on this?

In my project also react-dev-utils@11.0.4 has immer as dependency but still in version 8.0.1.

Created by: ziaulrehman40

This is marked critical, should be fixed on priority

Created by: hijikiman

This problem seems to have been resolved in release 5.0.0