Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: nanoid is a vulnerability in version 5.0.6 #2123

Open
PhongNguyen-Mercatus opened this issue Jan 21, 2025 · 1 comment
Open

[Bug]: nanoid is a vulnerability in version 5.0.6 #2123

PhongNguyen-Mercatus opened this issue Jan 21, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@PhongNguyen-Mercatus
Copy link

Version

v5

Reanimated Version

v3

Gesture Handler Version

v2

Platforms

iOS, Android

What happened?

nanoid is vulnerability in version 5.0.6

Image

My packages:

  • "react-native": "0.73.8",
  • "@gorhom/bottom-sheet": "5.0.6",
  • "react-native-reanimated": "3.14.0",
  • "react-native-gesture-handler": "2.17.1",

Reproduction steps

I have verified the vulnerabilities of packages in project and found nanoid is vulnerability in version 5.0.6 bu run yarn audit

Reproduction sample

https://snack.expo.dev/@gorhom/bottom-sheet---issue-reproduction-template

Relevant log output

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Predictable results in nanoid generation when given          │
│               │ non-integer values                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ nanoid                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=3.3.8                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @gorhom/bottom-sheet                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @gorhom/bottom-sheet > @gorhom/portal > nanoid               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1101163                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
@PhongNguyen-Mercatus PhongNguyen-Mercatus added the bug Something isn't working label Jan 21, 2025
@PhongNguyen-Mercatus PhongNguyen-Mercatus changed the title [Bug]: nanoid is vulnerability in version 5.0.6 [Bug]: nanoid is a vulnerability in version 5.0.6 Jan 21, 2025
@haydencrain
Copy link

nanoid is a dependency within @gorhom/portal

If you check the usages https://github.com/search?q=repo%3Agorhom%2Freact-native-portal%20nanoid&type=code, it's only being used for Portal keys, so although a vulnerability from a UUID generation perspective, I don't think this is a security issue for how it's being used.

Might be worth posting this as an issue in https://github.com/gorhom/react-native-portal, or even just submitting a PR that bumps the version to be above the patched version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haydencrain @PhongNguyen-Mercatus