fix: CVE-2023-45133 #7988

mtolmacs · 2024-05-07T10:46:54Z

Related ticket: Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

Solution: Upgrade babel dev dependencies to 7.24.

Additional impact: TypeScript types were possible to be compromised due to multiple versions of React and associated types being installed. This PR unifies the React and associated type versions across all workspace packages.

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

vercel · 2024-05-07T10:46:56Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
excalidraw	✅ Ready (Inspect)	Visit Preview	May 26, 2024 4:44pm
excalidraw-package-example	✅ Ready (Inspect)	Visit Preview	May 26, 2024 4:44pm
excalidraw-package-example-with-nextjs	✅ Ready (Inspect)	Visit Preview	May 26, 2024 4:44pm

1 Ignored Deployment

Name	Status	Preview	Updated (UTC)
docs	⬜️ Ignored (Inspect)	Visit Preview	May 26, 2024 4:44pm

github-actions · 2024-05-07T10:49:36Z

Coverage Report

Status	Category	Percentage	Covered / Total
🔴	Lines	65.59% (🎯 70%)	51311 / 78222
🔴	Statements	65.59% (🎯 70%)	51311 / 78222
🔴	Functions	66.68% (🎯 68%)	1565 / 2347
🟢	Branches	80.97% (🎯 70%)	6295 / 7774

File Coverage

No changed files found.

Generated in workflow #2569

packages/excalidraw/package.json

package.json

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

ad1992

@mtolmacs thanks for the fix
let's freeze the version of react and react-dom to 18.2.0 to avoid auto upgrades

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

mtolmacs · 2024-05-26T16:51:26Z

Hi @ad1992 I've made the update as requested.

mtolmacs added 3 commits May 7, 2024 11:24

Upgrade @babel/* versions to 7.24

a39c57e

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

Unify React versioning to avoid sneaky errors and type isues

d321a2c

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

Fix warning message on yarn start

9cb2210

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

mtolmacs self-assigned this May 7, 2024

mtolmacs changed the title ~~Fix CVE-2023-45133~~ Fix/CVE-2023-45133 May 7, 2024

mtolmacs changed the title ~~Fix/CVE-2023-45133~~ fix: CVE-2023-45133 May 7, 2024

dwelle reviewed May 7, 2024

View reviewed changes

packages/excalidraw/package.json Outdated Show resolved Hide resolved

dwelle reviewed May 7, 2024

View reviewed changes

package.json Show resolved Hide resolved

mtolmacs added the dependencies Pull requests that update a dependency file label May 7, 2024

mtolmacs added 2 commits May 7, 2024 20:55

Moving react to peer dependencies

ad3c1e4

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

Moving app dependencies from workspace into app

68b87db

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

vercel bot deployed to Preview – excalidraw-package-example May 7, 2024 19:08 View deployment

vercel bot deployed to Preview – excalidraw May 7, 2024 19:08 View deployment

vercel bot deployed to Preview – excalidraw-package-example-with-nextjs May 7, 2024 19:09 View deployment

Lint fix

95e71c1

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

vercel bot deployed to Preview – excalidraw May 7, 2024 19:15 View deployment

vercel bot deployed to Preview – excalidraw-package-example May 7, 2024 19:15 View deployment

vercel bot deployed to Preview – excalidraw-package-example-with-nextjs May 7, 2024 19:16 View deployment

mtolmacs requested a review from ad1992 May 8, 2024 10:23

ad1992 requested changes May 8, 2024

View reviewed changes

mtolmacs added 2 commits May 16, 2024 08:21

Merge branch 'master' into fix/cve-2023-45133

d334ba4

Fixing react version to exact 18.2.0

605b2c9

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

vercel bot deployed to Preview – docs May 16, 2024 07:39 View deployment

vercel bot deployed to Preview – excalidraw May 16, 2024 07:39 View deployment

vercel bot deployed to Preview – excalidraw-package-example May 16, 2024 07:39 View deployment

vercel bot deployed to Preview – excalidraw-package-example-with-nextjs May 16, 2024 07:42 View deployment

Bump vitest to 1.6.0 to fix history.test.tsx breaking

1de06d5

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

vercel bot deployed to Preview – excalidraw-package-example May 16, 2024 09:41 View deployment

vercel bot deployed to Preview – excalidraw May 16, 2024 09:41 View deployment

vercel bot deployed to Preview – excalidraw-package-example-with-nextjs May 16, 2024 09:42 View deployment

mtolmacs requested a review from ad1992 May 16, 2024 09:44

Merge branch 'master' into fix/cve-2023-45133

d9964c9

Signed-off-by: Mark Tolmacs <mark@lazycat.hu>

vercel bot deployed to Preview – excalidraw-package-example May 26, 2024 16:42 View deployment

vercel bot deployed to Preview – excalidraw May 26, 2024 16:42 View deployment

vercel bot deployed to Preview – excalidraw-package-example-with-nextjs May 26, 2024 16:44 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: CVE-2023-45133 #7988

fix: CVE-2023-45133 #7988

mtolmacs commented May 7, 2024

vercel bot commented May 7, 2024 •

edited

github-actions bot commented May 7, 2024 •

edited

ad1992 left a comment

mtolmacs commented May 26, 2024

fix: CVE-2023-45133 #7988

Are you sure you want to change the base?

fix: CVE-2023-45133 #7988

Conversation

mtolmacs commented May 7, 2024

vercel bot commented May 7, 2024 • edited

github-actions bot commented May 7, 2024 • edited

Coverage Report

ad1992 left a comment

Choose a reason for hiding this comment

mtolmacs commented May 26, 2024

vercel bot commented May 7, 2024 •

edited

github-actions bot commented May 7, 2024 •

edited