search

NoriginMedia / react-spatial-navigation

DEPRECATED. HOC-based Spatial Navigation. NEW Hooks version is available here: https://github.com/NoriginMedia/norigin-spatial-navigation
MIT License
226 stars 64 forks source link

a vulnerability CVE-2020-15168 is introduced in @noriginmedia/react-spatial-navigation #104

Closed ayaka-kms closed 2 years ago

ayaka-kms commented 3 years ago

Hi, @asgvard, a vulnerability CVE-2020-15168 is introduced in @noriginmedia/react-spatial-navigation via: ● @noriginmedia/react-spatial-navigation@2.12.8 ➔ recompose@0.30.0 ➔ fbjs@0.8.17 ➔ isomorphic-fetch@2.2.1 ➔ node-fetch@1.7.3

recompose is a legacy package. It has not been maintained for about 3 years, and is not likely to be updated. Is it possible to migrate recompose to other package to remediate this vulnerability?

I noticed several migration records for recompose in other js repos, such as

  1. in react-dnd, version 7.4.1 ➔ 7.4.2, remove recompose via commit
  2. in @nivo/legends, version 0.67.0 ➔ 0.68.0, remove recompose via commit

Are there any efforts planned that would remediate this vulnerability or migrate recompose?

Thanks ; )

asgvard commented 3 years ago

Hi, yes, there are already few PRs opened with the proposed migration to use hooks instead of recompose, but the open question is still whether we want to sacrifice the convenience of having the HoC that is automatically getting the reference to the current element, as there is no reliable replacement with hooks that will "magically" get the reference. We will probably have to go this path and make the library usage a bit more verbose, but it's still under discussion. This has been planned for a long time, but needs to be prioritized internally.

ayaka-kms commented 3 years ago

@asgvard Thanks a lot for your feedback.