Summary:
Upgrades Danger to the latest available version to mitigate the jsonwebtoken security vulnerability.
Changelog:
[Internal] [Changed] - Upgrade Danger to 11.2.1 to mitigate jsonwebtoken security vulnerability
Reviewed By: cortinico
Differential Revision: D42505940
fbshipit-source-id: 740edc7316791e5afe894ecdd1e05e13d2ef1f2c
Summary:
Changelog: [General][Security]
The parse method of the `JSON5` library before and including `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.
This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.
Suppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using `JSON5.parse`, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:
```json
const JSON5 = require('json5');
const doSomethingDangerous = (props) => {
if (props.isAdmin) {
console.log('Doing dangerous thing as admin.');
} else {
console.log('Doing dangerous thing as user.');
}
};
const secCheckKeysSet = (obj, searchKeys) => {
let searchKeyFound = false;
Object.keys(obj).forEach((key) => {
if (searchKeys.indexOf(key) > -1) {
searchKeyFound = true;
}
});
return searchKeyFound;
};
const props = JSON5.parse('{"foo": "bar"}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
doSomethingDangerous(props); // "Doing dangerous thing as user."
} else {
throw new Error('Forbidden...');
}
```
If an attacker attempts to set the `isAdmin` key, their request will be rejected:
```js
const props = JSON5.parse('{"foo": "bar", "isAdmin": true}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
doSomethingDangerous(props);
} else {
throw new Error('Forbidden...'); // Error: Forbidden...
}
```
However, attackers can instead set the __proto__ key to {"isAdmin": true}. JSON5 will parse this key and will set the isAdmin key on the prototype of the returned object, allowing the attacker to bypass the security check and run their request as an admin:
```js
const props = JSON5.parse('{"foo": "bar", "__proto__": {"isAdmin": true}}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
doSomethingDangerous(props); // "Doing dangerous thing as admin."
} else {
throw new Error('Forbidden...');
}
```
CVE-2022-46175
[CWE-1321](https://cwe.mitre.org/data/definitions/1321.html)
Pull Request resolved: https://github.com/facebook/react-native/pull/35759
Reviewed By: christophpurrer
Differential Revision: D42304806
Pulled By: rshest
fbshipit-source-id: 4ad338c878e8a235ea6b22d9f4d203c8f7779a63
Summary:
Upgrades `react-native` to `deprecated-react-native-prop-types@4.0.0`, which depends on `react-native/normalize-colors` instead of `react-native/normalize-color` and improves compatibility with React Native 0.72.
Changelog:
[General][Changed] Upgraded to `deprecated-react-native-prop-types@4.0.0` - https://github.com/facebook/react-native-deprecated-modules/blob/main/deprecated-react-native-prop-types/CHANGELOG.md
Reviewed By: cortinico
Differential Revision: D42088315
fbshipit-source-id: d1197e9a7d70654f601b421231b66bd760098ddf
Summary:
I just noticed while working on 0.71 that the PR https://github.com/facebook/react-native/pull/35580 was incomplete. This PR takes care of re-aligning the leftovers. (in 0.71 I've taken care of the changes locally)
## Changelog
<!-- Help reviewers and the release process by writing your own changelog entry.
Pick one each for the category and type tags:
For more details, see:
https://reactnative.dev/contributing/changelogs-in-pull-requests
-->
[INTERNAL] [FIXED] - realign "leftover" metro packages from 0.73.3 to 0.73.5
Pull Request resolved: https://github.com/facebook/react-native/pull/35625
Test Plan: N/A
Reviewed By: cortinico, cipolleschi
Differential Revision: D41996338
Pulled By: dmytrorykun
fbshipit-source-id: bc1c95b0159f639e33835b922555d2f5b8c22c66
Summary:
Small PR with bump to the new versions of CLI and Metro in preparation of the stable release for 0.71.
## Changelog
[General] [Changed] - Bump CLI to 10.0.0 and Metro to 0.73.5
Pull Request resolved: https://github.com/facebook/react-native/pull/35580
Test Plan: CI green
Reviewed By: cortinico
Differential Revision: D41800580
Pulled By: jacdebug
fbshipit-source-id: 7bf81308eb41490b004e685b1763574bfd3b27fb
Summary:
Update `babel/*` dependencies specifying `^7.x.y` where `x > 0` to the latest available semver minor, and corresponding superficial snapshot updates reflecting a small decrease in JS bundle size.
- `babel/core` to `^7.20.0`
- `babel/parser` to `^7.20.0`
- `babel/preset-env` to `^7.20.0`
- `babel/traverse` to `^7.20.0`
- `babel/cli` to `^7.19.0`
- `babel/eslint-parser` to `^7.19.0`
- `babel/preset-flow` to `^7.18.0`
- `babel/preset-syntax-flow` to `^7.18.0`
- Deduplicate / refresh others to take in patch updates
Changelog: [Internal] Bump Babel dependencies to latest 7.x
Reviewed By: JoeyMou
Differential Revision: D41449678
fbshipit-source-id: f04fe837a7961c4e2dde45fed59fcd138c2f8723
Summary:
Update `babel/generator` to the latest, which is a semver-minor update within the pre-existing range.
I'm separating this out for ease of review because it brings some noisy snapshot changes, including more granular source maps and fewer empty lines in generated output. The majority of this is a result of https://github.com/babel/babel/pull/14980 (`>=7.19.4`).
This and the previous diff clear the way for a general Babel update, which is currently blocking a perf-boosting Metro PR https://github.com/facebook/metro/pull/854.
Changelog: [Internal] Bump `babel/generator dependency` to `^7.20.0`
Reviewed By: motiz88
Differential Revision: D41438635
fbshipit-source-id: d56853169be22a2197ad53d6320ec6c1faf6b2a7
Summary:
Jscodeshift has become maintained again in the past year, and has gotten rid of quite a good chunk of old dependencies that are no longer needed!
## Changelog
<!-- Help reviewers and the release process by writing your own changelog entry. For an example, see:
https://reactnative.dev/contributing/changelogs-in-pull-requests
-->
[Internal] [Changed] - update jscodeshift
Pull Request resolved: https://github.com/facebook/react-native/pull/35356
Reviewed By: cipolleschi
Differential Revision: D41325527
Pulled By: rshest
fbshipit-source-id: 666b25c9bb3b1720479e9e098968b3b983adc2b4
Summary:
This is just a PR to realign main branch (and put it ahead) of a local change we did in 0.71: 741d102476
## Changelog
<!-- Help reviewers and the release process by writing your own changelog entry. For an example, see:
https://reactnative.dev/contributing/changelogs-in-pull-requests
-->
[General] [Changed] - Bump CLI to v10 alpha5
Pull Request resolved: https://github.com/facebook/react-native/pull/35260
Test Plan: N/A
Reviewed By: christophpurrer
Differential Revision: D41122011
Pulled By: cipolleschi
fbshipit-source-id: 8f01ed94bfd39d58b2e54cd2945fcca5bb8ebd18
Summary:
Quick update (requested by cortinico) ahead of release 0.71. Note that there was not a new release of `react-native-communiity/cli-platform-ios` in f6f23cca4b.
Changelog:
[General][Changed] - Bump CLI to 10.0.0-alpha.2
Reviewed By: robhogan, cortinico
Differential Revision: D40806560
fbshipit-source-id: 5c852a204c3c2d272d0502a34221f24ce7613cb0
Summary:
Small PR with bump to the new versions of CLI and Metro in preparation of the branch cut for 0.71.
While at it, did a cheeky `npx yarn-deduplicate` to clean up a bit the deps.
## Changelog
<!-- Help reviewers and the release process by writing your own changelog entry. For an example, see:
https://reactnative.dev/contributing/changelogs-in-pull-requests
-->
[General] [Changed] - Bump CLI to 10.0.0-alpha.1 and Metro to 0.73.3
Pull Request resolved: https://github.com/facebook/react-native/pull/35107
Test Plan: CI is green
Reviewed By: motiz88
Differential Revision: D40762683
Pulled By: huntie
fbshipit-source-id: e523a49c78588ca80351f44cb02bcd4c0137475e
Summary:
In 2017, React published v15.5 which extracted the built-in `prop types` to a separate package to reflect the fact that not everybody uses them. In 2018, React Native started to remove `PropTypes` from React Native for the same reason. In 0.68 React Native introduced a deprecation warning which notified users that the change was coming, and in 0.69 we removed the PropTypes entirely.
The feedback we've received from the community is that there has not been enough time to migrate libraries off of PropTypes. This has resulted in users needing to patch the React Native package `index.js` file directly to add back the PropTypes, instead of migrating off of them. We can empathize with this fix short term (it unblocks the upgrade) but long term this patch will cause users to miss important changes to `index.js`, and add a maintenance cost for users.
Part of the reason there was not enough time is that we didn't do a good job surfacing libraries that were using PropTypes. This means, when you got a deprecation warning, it wasn't clear where the source of the usage was (either in your code or in a library). So even if you wanted to migrate, it was difficult to know where to actually make the change.
In the next release, we've made it easier to find call sites using deprecated types by [fixing the code frame in errors](https://github.com/react-native-community/cli/pull/1699) reporting in LogBox, and ensuring that [the app doesn't crash without a warning](https://github.com/facebook/react-native/pull/34650). This should make it easier to identify exactly where the deprecated usage is, so you can migrate it.
To help users get off of the patch, and allow more time to migrate, we're walking back the removal of PropTypes, and keeping it as a deprecation for a couple more versions. We ask that you either migrate off PropTypes to a type system like TypeScript, or migrate to the `deprecated-react-native-prop-types` package.
Once we feel more confident that the community has migrated and will not need to patch React Native in order to fix this issue, we'll remove the PropTypes again. **If you have any trouble finding the source of the PropType usage, please file an issue so we can help track it down with you.**
Changelog:
[General][Changed] - Add back deprecated PropTypes
Reviewed By: yungsters
Differential Revision: D40725705
fbshipit-source-id: 8ce61be30343827efd6dc89a012eeef0b6676deb
Summary:
Pull Request resolved: https://github.com/facebook/react-native/pull/35089
Changelog:
[General][Fixed] - Back out "Add enum example to Android/iOS rn-tester TurboModule"
This broke the rn-tester adding due to an invalid flow-enum setup. Needs further investigation
Reviewed By: cipolleschi
Differential Revision: D40714320
fbshipit-source-id: 9831276762f90df0ffaca3304382fe5925009343
Summary:
Pull Request resolved: https://github.com/facebook/react-native/pull/35075
This diff updates the New App template for Android to use the React Native Gradle Plugin.
With this we can:
1. Get rid of all the C++ code.
2. Remove a lot of New Architecture logic in the build.gradle
3. Reuse the prebuilts of React Native/Hermes via prefab
Changelog:
[Android] [Changed] - Update the template to use RNGP
Reviewed By: cipolleschi
Differential Revision: D40673732
fbshipit-source-id: 70935248993d1e24904c982e75f12ad580faa9d8
Summary:
Bumping RNGP to make sure all the changes are available for 0.71
I've also removed the caret from react-native's package.json as
I don't want .5 to be used by template tests yet.
The Android template needs to be updated in order to use
that version of the Gradle plugin.
Changelog:
[Internal] [Changed] - Bump react-native-gradle-plugin to 0.71.5
Reviewed By: cipolleschi
Differential Revision: D40642114
fbshipit-source-id: 70359efc3d2300e9c04c1b361c45061fd1c2931b
Summary:
A super small PR to bump CLI to latest available of the 9.x stream, to make available in main the asset image fix (https://github.com/react-native-community/cli/pull/1290) and to be able to cherry pick it back in 0.70 branch.
## Changelog
<!-- Help reviewers and the release process by writing your own changelog entry. For an example, see:
https://reactnative.dev/contributing/changelogs-in-pull-requests
-->
[General] [Changed] - bump CLI to 9.2.1
Pull Request resolved: https://github.com/facebook/react-native/pull/35022
Test Plan: CI is green
Reviewed By: dmytrorykun
Differential Revision: D40507344
Pulled By: huntie
fbshipit-source-id: 7c3753e9df154eb5835f021cdfe1b476499afb9a
Summary:
A moderate vulnerability was found in all versions of `ws` below 7.4.6 June last year. React native current uses v6.1.4 which is susceptible to it, fortunately this security fix has been backported to v6.X.X and we don't need to upgrade any major versions/worry about breaking changes. This PR bumps `ws` to 6.2.2 ([CHANGELOG](https://github.com/websockets/ws/releases/tag/6.2.2)) due to this ReDoS vulnerability
More information about this vulnerability can be found here -> https://github.com/advisories/GHSA-6fc8-4gx4-v693
Closes https://github.com/facebook/react-native/issues/31646
## Changelog
[Internal] [Security] - Bump ws to 6.2.2 due to ReDoS vulnerability
Pull Request resolved: https://github.com/facebook/react-native/pull/34759
Test Plan:
Ensure WebSocket tests are working as expected
Tested HMR working on Twilight
| iOS | Android |
| https://pxl.cl/2g70M | https://pxl.cl/2g70V |
Reviewed By: hramos, cortinico
Differential Revision: D39722905
fbshipit-source-id: 12088ab5ea26d904675de484e2014949d6696465
Summary:
This PR renames ` hermes-inspector-msggen` to `react-native/hermes-inspector-msggen`, moves it to `packages/hermes-inspector-msggen` and makes the package private as part of RFC480.
Related to https://github.com/facebook/react-native/issues/34692
## Changelog
[General] [Changed] - Move and rename `hermes-inspector-msggen` to `react-native/hermes-inspector-msggen`
Pull Request resolved: https://github.com/facebook/react-native/pull/34850
Test Plan: run `sh ReactCommon/hermes/inspector/tools/run_msggen`
Reviewed By: mattbfb
Differential Revision: D40060406
Pulled By: cortinico
fbshipit-source-id: e018fd88e8374a69fbd8737fbb9abe7565d4a003
Summary:
This PR bumps the dep version of Metro and the RN CLI to latest, and realigns them to avoid the issue we currently have in 0.70: https://github.com/facebook/react-native/issues/34714 (this commit will be cherry-picked there)
Also, it pins it all down to precise version. See comments for reasoning.
While at it, I gave a cleanup pass to the yarn.lock with [`yarn deduplicate`](https://github.com/scinos/yarn-deduplicate#readme).
## Changelog
<!-- Help reviewers and the release process by writing your own changelog entry. For an example, see:
https://reactnative.dev/contributing/changelogs-in-pull-requests
-->
[General] [Changed] - bump CLI to 9.1.3 and Metro to 0.72.3
Pull Request resolved: https://github.com/facebook/react-native/pull/34803
Test Plan: CI is green
Reviewed By: dmytrorykun
Differential Revision: D39967392
Pulled By: dmytrorykun
fbshipit-source-id: 799dd745834c9ba349362f70afb4bdbd1a48260e
Summary:
Creates an ESLint rule that prohibits (and autofixes) imports from `react-native` or `react-native/path/to/file`, within the React Native repository.
The ESLint rule is configured using the `eslint-plugin-lint` package instead of `react-native/eslint-plugin` because the rule is only applicable to the React Native repository. The rule does not (and should not) be publicly facing, and changes to the rule should not require publishing new versions of `react-native/eslint-plugin`. (As a follow-up, the `no-haste-imports` rule should be migrated over from `react-native/eslint-plugin`.)
Changelog:
[Internal]
Reviewed By: javache
Differential Revision: D39831222
fbshipit-source-id: 566330e6df77fdff5ce755324b9f592b9365019e
Summary:
Pull Request resolved: https://github.com/facebook/react-native/pull/34724
Following on from the recent upgrade from Jest 26->27, this brings us up to present day Jest 29 for tests of React Native itself, Metro, and Meta-internal code. An update to the template for RN apps will follow.
Changelog:
[Internal][Fixed] Update to Jest 29
Reviewed By: huntie
Differential Revision: D39543504
fbshipit-source-id: b47fdb678212b475881ec19085f6cd45a4530333