search

acdlite / recompose

A React utility belt for function components and higher-order components.
MIT License
14.77k stars 1.26k forks source link

fbjs dependency still present in lock file #825

Open mmarchett opened 3 years ago

mmarchett commented 3 years ago

When I install recompose, it keeps downloading as a dependency fbjs, which in turn brings as a dependency ua-parser-js, which has a Prototype Pollution vulnerability.

DanielRuf commented 3 years ago

It's because the code on npmjs is different compared to the current code in the repo, which is not released.

https://github.com/acdlite/recompose/blob/master/src/packages/recompose/package.json

bdombro commented 2 years ago

I found another public npm fork of this project which has been patched: https://www.npmjs.com/package/@shakacode/recompose

joelzimmer commented 2 years ago

Bump on this - ua-parser-js has a critical vulnerability, it would be great to not have to worry about that coming in.