Open mmarchett opened 3 years ago
It's because the code on npmjs is different compared to the current code in the repo, which is not released.
https://github.com/acdlite/recompose/blob/master/src/packages/recompose/package.json
I found another public npm fork of this project which has been patched: https://www.npmjs.com/package/@shakacode/recompose
Bump on this - ua-parser-js
has a critical vulnerability, it would be great to not have to worry about that coming in.
When I install recompose, it keeps downloading as a dependency fbjs, which in turn brings as a dependency ua-parser-js, which has a Prototype Pollution vulnerability.