Will there be a security patch on react-router-dom 5.3.4 related to the "React Router allows pre-render data spoofing on React-Router framework mode" vulnerability?

[hoaol]

Hi! I just wanted to check if we could expect an "patch" on react-router-dom 5.3.4 related to the vulnerability:
GHSA-cpj6-fhp6-mr6j
that was fixed in 7.5.2.

One of our applications is still using 5.3.4 and we have a plan to migrate to 7.x but it will result in some rewrite and it would have been nice to do that later on and not as part of a "security patch".

... Maybe this vulnerability is not relevant for 5.3.4?

Regards Hans

[rockettown1]

I feel like there is an issue with the npm audit database for the recent advisories on React Router (data spoofing and cache poisoning)?

The affected versions in the advisories are >=7 but the npm audit report flags lower versions. Our applications are using 6.30.0 and the npm audit failures are blocking our pipelines.

Does anyone know how we can resolve the npm audit false positives?

[brophdawg11]

Hm - that's a good question - how do we clear stale data from npm audit...

[brophdawg11]

It looks like npm audit is powered by the github advistory database, and that is accurate, although I noticed there's a new last_known_affected_version_range field that still has the stale data so I opened PRs to update those as well:

• Update version range for GHSA-cpj6-fhp6-mr6j github/advisory-database#5484
• Update version range for GHSA-f46r-rw29-r322 github/advisory-database#5483

[brophdawg11]

Yeah this was a missed lower bound on the security advisory that was filed. We've since updated the advisory - it did not affect any versions prior to v7.