Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: [Security] Update Remix dependency and prevent prototype pollution vulnerabilities #1151

Merged
merged 4 commits into from
Feb 20, 2025
Merged

fix: [Security] Update Remix dependency and prevent prototype pollution vulnerabilities #1151

merged 4 commits into from
Feb 20, 2025

Conversation

moehaje
Copy link
Contributor

@moehaje moehaje commented Feb 15, 2025

Yoo! 👋

While working with TanStack Form, I noticed Snyk reporting two security vulnerabilities. This PR fixes both issues:

  1. XSS vulnerability in cookie dependency:

    • Updated @remix-run/node from ^2.15.0 to ^2.15.3
    • Fixes medium severity issue SNYK-JS-COOKIE-8163060

  2. Prototype pollution in mutateMergeDeep utility:

    • Added safety checks for dangerous properties like __proto__ and constructor
    • Improved how we handle property assignments
    • Added tests to ensure the fix works and stays working

The changes are straightforward:

  • Package update to get the fixed cookie dependency
  • Added property safety validation in mutateMergeDeep
  • Added comprehensive tests for the prototype pollution fix

I've tested this locally and all tests pass. Both Snyk vulnerabilities should be resolved with these changes.

Let me know if you'd like me to explain anything or make any adjustments! :)

@moehaje
fix(react-form): update @remix-run/node to fix cookie XSS vulnerability
c07f0e5 
Updates @remix-run/node from ^2.15.0 to ^2.15.3 to resolve
medium severity XSS vulnerability in cookie dependency (SNYK-JS-COOKIE-8163060)
@moehaje
fix(form-core): prevent prototype pollution in mutateMergeDeep function
9ae9641 
BREAKING CHANGE: The mutateMergeDeep function now includes additional safety checks
for dangerous properties to prevent prototype pollution vulnerability.
This fixes the high severity security issue SNYK-JS-TANSTACKFORMCORE-8706814.
@balint729
Copy link

balint729 commented Feb 20, 2025
edited
Loading

Hi @crutchcorn could you please check this? Our project also depends on this package and would really appreciate if this could be merged to mitigate the Security issue.

@nx-cloud Nx Cloud
Copy link

nx-cloud bot commented Feb 20, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit e74ef29.

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ✅ Succeeded 1m 44s View ↗
nx run-many --target=build --exclude=examples/** ✅ Succeeded 30s View ↗

☁️ Nx Cloud last updated this comment at 2025-02-20 17:17:15 UTC

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Feb 20, 2025
edited
Loading

Open in Stackblitz

More templates

@tanstack/angular-form

npm i https://pkg.pr.new/@tanstack/angular-form@1151

@tanstack/form-core

npm i https://pkg.pr.new/@tanstack/form-core@1151

@tanstack/react-form

npm i https://pkg.pr.new/@tanstack/react-form@1151

@tanstack/lit-form

npm i https://pkg.pr.new/@tanstack/lit-form@1151

@tanstack/solid-form

npm i https://pkg.pr.new/@tanstack/solid-form@1151

@tanstack/valibot-form-adapter

npm i https://pkg.pr.new/@tanstack/valibot-form-adapter@1151

@tanstack/vue-form

npm i https://pkg.pr.new/@tanstack/vue-form@1151

@tanstack/yup-form-adapter

npm i https://pkg.pr.new/@tanstack/yup-form-adapter@1151

@tanstack/zod-form-adapter

npm i https://pkg.pr.new/@tanstack/zod-form-adapter@1151

commit: e74ef29

@codecov Codecov
Copy link

codecov bot commented Feb 20, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 92.59259% with 2 lines in your changes missing coverage. Please review.

Project coverage is 87.83%. Comparing base (990a916) to head (e74ef29).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
packages/form-core/src/mergeForm.ts 92.59% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1151      +/-   ##
==========================================
- Coverage   87.86%   87.83%   -0.03%     
==========================================
  Files          30       30              
  Lines        1318     1332      +14     
  Branches      354      360       +6     
==========================================
+ Hits         1158     1170      +12     
- Misses        144      146       +2     
  Partials       16       16

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Balastrong
Balastrong approved these changes Feb 20, 2025
View reviewed changes
Copy link
Member

@Balastrong Balastrong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tweaked a couple of repo specific things but the fix looks good, thank you! 🚀

@Balastrong Balastrong merged commit 455522c into TanStack:main Feb 20, 2025
6 checks passed
This was referenced Feb 20, 2025
Closed
Merged
harry-whorlow pushed a commit to harry-whorlow/form that referenced this pull request Feb 21, 2025
@moehaje
fix(form-core): prevent prototype pollution and update Remix dependen…
9517551 
…cy - CVE-2024-57068 (TanStack#1151)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Balastrong Balastrong Balastrong approved these changes

@balint729 balint729 balint729 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@moehaje @balint729 @Balastrong