iossecuritynpminstallationreact-native-config

High severity vulnerabilities intalling react-native-config

When I try to install react-native-config in my react native project on ios I always get the same output:


141 packages are looking for funding
  run `npm fund` for details

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

No matter how I do it

npm install react-native-config npm i react-native-config npm install github:lugg/react-native-config

I've tried to reinstall my project from scratch several times. I've installed react-native-config from both npm and github repositories. I've executed npm audit:

# npm audit report

ip  *
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix --force`
Will install react-native@0.68.7, which is a breaking change
node_modules/ip
  @react-native-community/cli-doctor  *
  Depends on vulnerable versions of ip
  node_modules/@react-native-community/cli-doctor
    @react-native-community/cli  >=4.13.0
    Depends on vulnerable versions of @react-native-community/cli-doctor
    Depends on vulnerable versions of @react-native-community/cli-hermes
    node_modules/@react-native-community/cli
      react-native  <=0.0.0-ffdfbbec0 || >=0.69.0-rc.0
      Depends on vulnerable versions of @react-native-community/cli
      node_modules/react-native
  @react-native-community/cli-hermes  *
  Depends on vulnerable versions of ip
  node_modules/@react-native-community/cli-hermes

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

I've executed several times npm audit fix --force , which takes me on a loop reinstalling different versions of react-native. In the end, it takes me back to the same output.

Solution

  • I had the same issue. Overriding the version of the vulnerable package (i.e. IP in your case) would fix it. Try adding this to your package.json

     "overrides": {
    "ip": "2.0.1"
  }

    After overriding the version, I ran "npm install" command. No need to run the "npm audit fix --force" command.

    Note: In some cases, overriding the version to latest stable version may introduce breaking changes, hence you may have to be careful in this case.