Commit 483c75d
Remove stale yarn.lock to fix CVE-2021-3918
Summary:
Delete quick-start/yarn.lock which pins json-schema@0.2.3, a critical
prototype pollution vulnerability (GHSA-896r-f27r-55mw / CVE-2021-3918).
The vulnerable dep is a transitive pin: request -> http-signature ->
jsprim -> json-schema@0.2.3. Since jsprim pins json-schema to an exact
vulnerable version, the only clean fix is removing the stale lockfile.
Users cloning the sample app and running yarn install will get the
latest compatible (non-vulnerable) versions.
Reviewed By: shreeshyadav
Differential Revision: D99691259
fbshipit-source-id: ed7f918376f7a8e5dacab61ab8102eb86bffc0de1 parent 06905e9 commit 483c75d
1 file changed
Lines changed: 0 additions & 645 deletions
0 commit comments