Skip to content

Commit 483c75d

Browse files
Vinayak Guptameta-codesync[bot]
authored andcommitted
Remove stale yarn.lock to fix CVE-2021-3918
Summary: Delete quick-start/yarn.lock which pins json-schema@0.2.3, a critical prototype pollution vulnerability (GHSA-896r-f27r-55mw / CVE-2021-3918). The vulnerable dep is a transitive pin: request -> http-signature -> jsprim -> json-schema@0.2.3. Since jsprim pins json-schema to an exact vulnerable version, the only clean fix is removing the stale lockfile. Users cloning the sample app and running yarn install will get the latest compatible (non-vulnerable) versions. Reviewed By: shreeshyadav Differential Revision: D99691259 fbshipit-source-id: ed7f918376f7a8e5dacab61ab8102eb86bffc0de
1 parent 06905e9 commit 483c75d

1 file changed

Lines changed: 0 additions & 645 deletions

File tree

0 commit comments

Comments
 (0)