react-native-codegen 0.0.7 transitive package unset-value/1.0.0 have known vulnerability security issue #35032
Description
Description
react-native-codegen 0.0.7 transitive package unset-value/1.0.0.0 have known vulnerability security issues.
We are using unset-value/1.0.0 transitive package under react-native-codegen 0.0.7 library, unset-value/1.0.0 transitive package having security issue ie.. unset-value is vulnerable to a prototype pollution attack. A remote attacker may be able to execute arbitrary code or cause a denial-of-service (DoS) by tricking the library into modifying or adding properties of Object.prototype. and CVE: BDSA-2021-4507
RCE
We would expect to fix BDSA-2021-4507
RCE) for unset-value/1.0.0 transitive package, upgrading react-native-codegen 0.0.7 latest version
Version
react-native-codegen 0.0.7
Output of npx react-native info
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: support for ECMAScript is superseded by uglify-js as of v3.13.0
Steps to reproduce
Run the SCA using Blackduck found transitive package unset-value/1.0.0.0 vulnerable and CVE: BDSA-2021-4507
RCE
Snack, code example, screenshot, or link to a repository
NA