[UICIRC-574] Upgrade react-codemirror2 from 1.0.0 to >=7.0.0 (CVE-2020-7760) - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P3
Resolution: Duplicate
Affects Version/s: 5.0.0
Fix Version/s: None
Labels:
- security
- security-reviewed

Template:

Standard Bug Write-Up Format
Development Team:
Vega
Analysis Estimate:
Small < 3 days

Description

Overview:

ui-circulation ships with a ReDoS (regular expressions denial of service) vulnerability.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7760

Steps to Reproduce:

snyk.io and yarn why codemirror show this dependency path:

@folio/platform-complete@3.4.0 › 
@folio/circulation@5.0.1 › 
react-codemirror2@1.0.0 › 
codemirror@5.29.0

codemirror before 5.58.2 has a ReDoS (regular expressions denial of service) vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7760

react-codemirror2 before 7.0.0 depends on a vulnerable codemirror version: https://github.com/scniro/react-codemirror2/commit/1801460b2c35db1372afe221b070143b6e52199c

react-codemirror2 from 7.0.0 depends on a fixed codemirror version.

Task:

Upgrade react-codemirror2 from 1.0.0 to a version that is >=7.0.0.

TestRail: Results

Attachments

Issue Links

has to be done before

UICIRC-658 Spike: Estimate replacement to Jest/RTL tests for src/settings/lib/RuleEditor (part 1)

Closed

UICIRC-823 Spike: Estimate replacement to Jest/RTL tests for src/settings/lib/RuleEditor (part 2)

Closed

relates to

UICIRC-105 update react-codemirror2 to a compatible version

Closed

UICIRC-576 react-codemirror2@"^1.0.0" causes peer-dep inconsistency

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 10/May/21 3:28 PM

Updated:: 15/Jun/22 11:07 AM

Resolved:: 22/Jun/21 2:17 AM

Upgrade react-codemirror2 from 1.0.0 to >=7.0.0 (CVE-2020-7760)